Happy National Cybersecurity Awareness Month!

By Antonia Dumas, Consultant at XPAN Law Group LLC 

Since it is now October – it is officially Cybersecurity Awareness Month once again!! This means that cybersecurity should be top of mind and you should take some time this month to learn how to better protect yourself and your business. In particular, this is a great time to learn more about cybersecurity key topics and issues, with a goal of determining what tips you can incorporate into your daily activities and into the management of your business. 

Collaborative Cybersecurity Awareness for All 

The National Cybersecurity Awareness Month (NCSAM) is “a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.” The 2019 National Cybersecurity Awareness Month goal is “to emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace.”  This year’s overarching message of Own IT. Secure IT. Protect IT. will focus on citizen privacy, consumer devices, and e-commerce security. 

You may have noticed that this month is full of cybersecurity events and activities for individuals and small businesses. These events and initiatives are occurring across the country and are hosted by government, universities, private entities, etc.

As part of a general government initiative to provide helpful guidance in this area, here are some free resources from the Department of Homeland Security (DHS) and Federal Trade Commission (FTC):  

XPAN’s Cybersecurity Tips 

As practitioners in cybersecurity and data privacy, XPAN has highlighted some of key cybersecurity and privacy  topics in previous blog posts throughout the last year – and, keep your eyes out for more to come! 

XPAN’s 10 Tips for Cybersecurity Awareness Month: 

#1: Make Cybersecurity a Priority

Understand your data and make cybersecurity a priority to protect that data. (See XPAN’s post, First Step of Data Privacy Compliance: Understanding Your Data). Take steps to understand your systems (and data that is stored and processed on those systems) and use that knowledge to create a holistic cybersecurity and data privacy approach. 

#2: Classify and Categorize Your Data 

In order to understand your data, you need to locate it, classify it and track its flow throughout your systems. You should complete data categorizations (the process of classifying your data and creating a data inventory) and then you should update it at least once a year. (See XPAN’s post, Data Categorizations: A Back to School Basic). Once you complete this process, your IT department can better strategize regarding the necessary cybersecurity controls and protection mechanisms required for your system. 

#3: Implement Additional Security Procedures Into Your Daily Tasks

Implementing security processes and taking advantage of system/application settings will help increase your cybersecurity protection. For example – Two-Factor (or multi-factor) Authentication (See XPAN’s post, The Many Factors of Two-Factor Authentication). Other mechanisms include password requirements, lockout policies, automatic monitoring and logging, etc. These types of processes and mechanisms are affordable and are a quick way to strengthen your security.

#4: Restrict and Manage biometric data collection 

Biometric data (data which results from technical processing related to a person’s physical, physiological or behavior characteristics) is personal and sensitive data that requires protection within your system. There is already some specific regulation of such data at the international and state level. (See XPAN’s post, A Biometric Data Regulation: Coming to a State Near You). So, you need to be careful to restrict and manage the biometric data you collect, process and store. 

#5: Establish (or Adopt if possible) Codes of Conduct 

Establishing internal codes of conduct that require both employee and management accountability (even executive certification) which help to ensure and  prove compliance with various data protection regulations. For example, some states require certification of compliance with existing privacy regulatory requirements as well as international regulations like the General Data Protection Regulation (See XPAN’s post, An Active Summer for GDPR: Part I, Codes of Conduct & Certification under the GDPR)

#6: Keep Up With Cybersecurity Training and Continuous Awareness 

You should continuously raise cybersecurity awareness and train all staff (new and existing employees, permanent or temporary) as well as emphasize accountability practices. (See XPAN’s post, Do Not Hit The Red Button! Making Cybersecurity and Data Privacy Training A Requirement). Theses activities should have a particular focus on phishing and social engineering tasks that are frequent threats and provide employees with knowledge of what to do when a suspected incident or mistake occurs. 

#7: Protect Yourself From Third-Party Risks

Poor third-party management has been the source of many cybersecurity breaches this year and a targeted emphasis in various state regulations as well as FTC enforcement action. (See XPAN’s post, Insider Threats Part 3 – Making Third-Party Risk Management A Priority). So, due diligence and management of existing and new third-party relationships (vendors, suppliers, independent contractors, etc) should be a top priority. 

#8: Assign Cybersecurity Responsibility

In order for your cybersecurity approach to be effective, you need to assign responsibility for cybersecurity within your organization. For example, you can designate a senior-level executive as a chief information security officer (CISO) who is responsible for your organization’s information and data security. However, make sure you are providing the necessary resources and support for your CISO to be able to best fulfill this role (i.e. providing team support and even outside counsel). (See XPAN’s post, A CISO and Outside Cybersecurity Counsel: A Marriage Made in Heaven).

#9: Assign Data Privacy Responsibility 

Not only should you assign responsibility for cybersecurity within your organization but you should also assign responsibility for data privacy specifically. You can do so with an existing employee or hire an independent individual as the individual responsible for data privacy (such as a Data Privacy Officer under the GDPR). However, be careful when appointing a DPO to ensure there are not conflicts of interest. (See XPAN’s post, Beware of Potential Conflicts: Should Your Organization Appoint an IT Director as a Data Protection Officer?)

#10: Be Aware of Cyber Attacks 

Lastly, remember that the upcoming holiday season is a high time for cybersecurity attacks. (See XPAN’s post, ‘Tis the Season…for Cyber Attacks). While we are all getting excited about our holiday parties and gifts, those cybercriminals are waiting to catch us off-guard and uninformed. Defend yourself by keeping yourself informed and implemented these key tips. 

Keep an eye out for XPAN team members participating at cybersecurity awareness events this month. And, remember, that in all things cybersecurity and data privacy related, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.