We have been discussing various ways that Connecticut small businesses have been affected by cyberattacks, but small businesses aren’t the only victims. As recent news stories have shown, government has to be wary of hackers as well. Whether it’s the Russians trying to affect the outcome of an election or cyber crooks hunting for Social Security and employment records, government agencies also are being targeted for cyberattacks. There is no central authority for government cyber security, so each federal agency and state is responsible for protecting its own data. Some states fare better than others, and how they choose to tackle cyber security can have a big impact on small business.
Government agencies are hacked in the same way as small businesses. In 2014, for example, there were 27 security incidents affecting government agencies, including a data breach that compromised records for 800,000 employees and 2.9 million customers of the U.S. Post Office; a data breach affected 850,000 Oregon job seekers; and a third breach uncovered background data on 25,000 underground investigations by Homeland Security. The Brookings Institute determined that federal agencies are woefully unprepared for data breaches and more than half of federal agencies don’t even have a cyber security plan.
State governments seem to be more prepared. The same Brookings report also revealed that each state (with the exception of Alaska) has published its own cyber security strategic plan, and the details of these plans vary from demonstrating an awareness of the problem all the way up to a very comprehensive security strategy.
Vermont, for example, mentions upgrading its legacy systems but offers no specifics or time frame. Maryland also reports seeing a surge in cyberattacks but offers no new security policies. New Mexico, on the other hand, has a 10-part Information Technology Security Plan based on metrics. Colorado also uses metrics to ensure: 1) 95 percent of systems are monitored in real time, 2) 90 percent of state employees have security awareness training, 3) overdue security audit findings are reduced 5 percent each quarter, and 4) the number of high-risk security findings not remediated within 60 days drops to fewer than than 50 annually.
The State of Connecticut has its own Information and Telecommunications Strategic Plan with well defined goals and strategies. A first for the state is making Connecticut small businesses accountable for protecting the personal information of state residents.
The latest security laws passed on June 30, 2015, include provisions such as a 90-day deadline to report a data breach, and providing data breach victims such as customers a year of free identity theft protection services. For retailers and other businesses that handle credit card transactions and maintain customer records, this new law adds significant expense to the cost of a data breach. When you consider that recovering from a data breach can cost a small business on average $36,000, adding in the cost of reporting and identity theft protection could result in bankruptcy for some Connecticut small businesses.
Health care businesses that maintain patient records have the burden of additional security requirements. They need to implement and maintain a “comprehensive information security program” with provisions that go beyond federal HIPAA requirements for protecting patient data. For example, all patient data transmitted over a public network or wireless connection must be encrypted. There also are stringent data access protocols and authentication procedures, with severe penalties for employees who violate those protocols. State contractors have similar requirements to protect personal information.
To protect themselves and ensure compliance with the state’s cyber security regulations, Connecticut small businesses need to step up their security measures and prepare for the worst. That means enhancing data protection measures, increasing security of customer and financial records, and setting a 24-hour security watch on the company’s computer network.
Most small businesses don’t have the budget or the resources to hire a full-time security expert, but they require more protection because they are more susceptible to the consequences of a data breach. Rather than trying to add more IT security staff, small businesses are turning to managed service providers (MSPs) to serve as their cyber watchdogs.
MSPs can assist by performing a data security audit to identify potential areas of weakness and helping develop a strategy to harden cyber security. In addition to periodic audits, MSPs also can provide services such as malware and antivirus protection, remote monitoring to watch for anomalies, and even managing data breach protocols. They also can provide security training to employees, because research shows that the majority of data breaches are the result of untrained workers falling victim to phishing or malware attacks.
Anyone doing business in Connecticut needs to be aware of the latest cyber security policies. If your organization lacks the resources to keep a full-time data security expert on staff, you can always get the assistance you need from your friendly neighborhood MSP. The state has made it clear that it is declaring war on cyber criminals, but you don’t want your business lost in the crossfire. Get the help you need to refine your cyber security strategy before you discover you need it.