Fire, Flood, and Cybersecurity
In some respects, cybersecurity is not that different than protecting your building against fire or flood. For instance, if you choose to construct a building on a floodplain and take no precautions while building, you’re responsible for the damage caused when you get inevitably flooded. Likewise, if you are an apartment owner and neglect to install smoke alarms and sprinklers in the complex, you will not be able to rent the space because it will be deemed unsafe.
However, this wasn’t always the case. All of these things that we take for granted, the flashing fire alarms, the noise, the many different types of fire suppression systems, all of this evolved as we learned the full nature of these static threats.
The same is true of cybersecurity. It is evolving. The FTC has said that you must have reasonable security measures for cybersecurity.
Reasonable Security Measures
Even if your company has a specific compliance mandate, such as HIPAA or PCI, you still have to practice reasonable cyber security, as the FTC defines it, across your entire organization.
The Federal Trade Commission (FTC) Security Standard states that you must have “Reasonable security measures” for…
- An entity of similar size and sophistication
- Given the type, amount, and methods of data collected
Twenty years ago having a firewall would have been impressive security. Today, however, a firewall is like fire sprinklers. It’s a given. And, in fact, in some cases it would be negligent not to have sprinklers. It’s careless and in some cases, if you were to be a landlord, and you were to run an apartment complex without adequate fire safety, it actually can become criminal.
Cybersecurity is Not a Technology Problem
Cyber risks are rising for everyone, every day. Therefore, we must embrace the concept that cybersecurity is not a technology problem but rather a management opportunity. Cybersecurity is not a destination or a thing you purchase. It’s how you travel to the places you want to go.
As you are working to acquire more customers and increase your profit margins, you must be mindful to include cybersecurity as a part of your overall plan. Today, most executives don’t realize just how dangerous their cybersecurity journey is!
Most organizations find out they’ve had a data breach over 200 days from the hack. And they usually find out from a customer, law enforcement, or the media.
How to Achieve Reasonable Cybersecurity
These two strategies will lead you to reasonable security.
- Become a Difficult Target
- Become Cyber Resilient
First, don’t be an easy target. Most cybercriminals are looking for easy targets. It’s like the car thief cruising through a large parking lot looking for the make and model that’s easiest and fastest to steal. If your car has a club on its steering wheel, the thug will keep walking. Not because the club is impossible to defeat but because there is an easier target.
Secondly, becoming cyber resilient is key to having reasonable cybersecurity. The attacks that are coming at us today are much more powerful and effective than they have been in the past. It’s inevitable that we’re all going to suffer a cyber attack sooner or later. You want to make sure that if you end up in a situation, you can resist the attack and get back to regular business as fast as possible.
A great example of cyber resilience is DHL: It was hit by NotPetya in 2017, but it kept on delivering packages.
In contrast, its direct competitor, the FedEx subsidiary in Europe, TNT, was out of business for days after it was hit by the same NotPetya attack.