As former President Ronald Reagan once said, the scariest words you’ll ever hear are, “We’re from the government, and we’re here to help.”
In this case, the government is trying to help by forcing nearly all businesses to implement and maintain a strong cybersecurity program to protect the customer information these companies host. This is definitely not a bad thing, and all businesses should take this seriously without the government mandating it.
Sadly, most small businesses fail to take cybersecurity seriously enough and believe they are doing enough to prevent a cyberattack when they aren’t, which is why the government is having to step in and create laws (the GLBA Act) to enforce better security protocols.
Hacking groups use automated bots to carry out their attacks randomly, and small businesses are their #1 target due to the gross negligence and inadequate protections they have. You are low-hanging fruit. That’s why it’s not only the obvious organizations, such as CPAs, financial institutions, and credit unions, that need to comply. Here’s a short list of just a few of the organizations that fall under this new law. You should know that this is NOT a complete list:
As you can see, the companies that must comply are growing rapidly. Bottom line, if you handle any kind of financial data or personally identifiable information, you need to make sure you are complying with these new standards.
The rule requires you to implement a “reasonable” information security program. But what does that mean? For starters, you need to designate a qualified individual to implement and supervise your IT security program, and you cannot outsource this. Yes, you can and should get a professional IT firm like us to guide you on the implementation, but the buck still stops with you.
The person you designate doesn’t have to have a background in IT or cybersecurity, but they will be responsible for ensuring your company is taking reasonable precautions to comply with the new security standards.
Second, the Safeguards Rule requires you to conduct a risk assessment to initiate an effective security program. From there, you would work with your IT company (us!) to roll out a plan to secure and protect the data you have by putting in place access controls, encryption, data backups, 2FA, and several other protections.