(June 6, 2017) As cyberattacks become increasingly common, businesses are confronting risks previously only seen in works of fiction. Cybercriminals steal users’ identities, make fraudulent purchases, and disrupt everything from travel to essential emergency services.
With this in mind, New York recently became the first state to impose minimum cybersecurity standards on financial services companies. While these regulations are only binding on specific entities transacting business in New York, the policies those companies are adopting in response to the regulations offer valuable guidance to similar businesses throughout the country.
Before creating policies to address cybersecurity, a business should assess what its risks are by answering – at a minimum – the following:
- What data does it store, and where?
- Does it store the data itself, or does it rely on a third party to do so?
- If data is stored offsite, who can access it – both to and from its storage facility, and within the storage facility?
- Who can access the company’s network?
- Are all portions of the network accessible by all employees and contractors?
- How are users authenticated?
- Is the network monitored for vulnerabilities and, if so, how?
Depending on the answer to those questions, companies should implement policies to address not only internal hardware and data access and storage, but also for contracting with third parties who come into contact with the business’s hardware and data. Some issues these policies may address include:
- Where will the data be posted?
- How it is transmitted and stored?
- What type of encryption will be used?
- How are users authenticated?
- How does the vendor achieve geographic redundancy?
- What happens to the company’s data if the vendor goes out of business, is acquired, or merges with a different entity?
- What happens in the event of a breach or a disaster?
- How and over what network(s) users may remotely access company data and networks
- What are the rules governing mobile device management?
- What is the data backup process?
- Keys to eliminating network redundancy?
- How to protect the privacy of customer and client data?
- What is the incident response plan in the event of a breach or disaster?
While policies themselves cannot protect your data from a cyberattack, making sure your users and your information technology vendors follow some common-sense safeguards can greatly decrease the likelihood that your network will be breached and both your valuable data and your customers’ or clients’ confidential information will be jeopardized.
For more information on how to reduce risk and protect your organization from fraud, contact Hal Ostrow.
More Publications