Each business has a different reason for choosing to prioritize cybersecurity. For some, the choice to strengthen cyber defenses is due to an understanding that cybersecurity has become one of the basics that every single business needs to have in order to survive today — they see it as being as crucial to the success of the business as having an accountant or customer support area. For others, they choose to invest in cybersecurity to protect their customers’ personal information after reading a scary headline about yet another company falling victim to a data breach. And some of the companies out there are those unfortunate souls from the news that the other businesses heard about. They have learned the hard way that it is worth the time, effort, and money to prevent an attack if possible, as taking a reactive approach is far more stressful than being proactive.
If none of these sound like a motivator for you to give your cyber defenses some attention, you may be interested to learn that there could be legal ramifications for not being up to snuff when it comes to cybersecurity. Though the US does not currently have an official federal guidance on cybersecurity, there are laws that apply to certain arenas that must be considered. Above and beyond the laws that all have to abide by, many industries have their own set of rules and standards that a business has to stick with in order to be taken seriously within the craft. On top of this, other countries have laws that you and your business have to comply with.
U.S. Regulations and Orders to Consider
In May of this year, President Biden put out an Executive Order on improving the nation’s cybersecurity in order to help protect individuals and industries from cyberattack. The order includes sections on Removing Barriers to Sharing Threat Information (Sec. 2), Enhancing Software Supply Chain Security (Sec. 4), and Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents (Sec. 6). The overall goal of the Executive Order is for the federal government to be more aware of cyber risks and to have increased transparency related to attacks. This has the potential to be a very influential preliminary guideline for how we all approach cyber protection as a country, and politicians are working to create further guidance on both proactive and reactive cybersecurity techniques. In addition to this recent order, there are other laws that apply to all businesses as well as industry-specific guidelines.
One of the more prolific laws related to cybersecurity is the Cybersecurity Information Sharing Act of 2015 (CISA). This law works with a combination of government entities and tech-based companies to get them to share information related to threats so that issues can be addressed swiftly and sooner. This goes along with the goal of increasing transparency in an attempt to prevent cyber threats from spreading or gaining enough strength to impact the public severely.
Certain industries will have more stringent standards than others when it comes to all sorts of aspects of operating a business — financial reporting, information tracking, and of course, cybersecurity. Industry-specific standards obviously vary by each area of the professional world; one of the most notable is the Health Insurance Portability and Accountability Act, or HIPPA, in regards to Healthcare. This law applies to all companies that deal with sensitive medical information and holds them to a standard to protect that information. This law was initiated in 1996 and at that time, this law did not focus as much on the cyber side of things since the digital world was early on at that time. Since the massive growth of the Internet, this law has spread to apply to these medical entities having a duty to protect client information in the online realm as well by having strong cybersecurity standards and best practices. If a medical practice lacks strong cybersecurity, clients will likely spread the word and move their business elsewhere themselves. If you do not stay up to the level of cybersecurity of your peers in the healthcare industry, you will not be successful in the world today.
Above and beyond United States regulations and industry-specific standards, you may need to take into account international regulations if your business has any international customers or operations that take place across borders. The most well-known of the international cybersecurity laws is the GDPR or the General Data Protection Regulation. This is a European law, but as mentioned above, if your business operates in a way which then makes it affiliated with a European country, you must abide by this regulation in order to be in compliance with expected standards in the law. While cybersecurity best practices should merely be something you wish to hold your company to in order to avoid a cyber attack, things such as GDPR or CISA can be motivation enough to get your cybersecurity defenses in check.
Being proactive when it comes to cybersecurity can save you time, stress, and money, as well as the risk of breaking national and/or international regulations or industry best practice standards.