Developing a culture of cybersecurity is important for any company utilizing the Internet. Theft of digital information is now the most commonly reported fraud, so businesses must know how to protect themselves and their employees in order to promote business and consumer confidence. Read the following five essential actions for government contractors in order to develop a culture of cybersecurity.
1. Establish a Cybersecurity Policy
Many growing companies overlook the need for a comprehensive policy on cybersecurity. They may use IT, HR, risk management, and other policies to address cyber threats, vulnerabilities, and procedures in an ad hoc fashion. But preparing the company to prevent and respond effectively to the most common problems requires a holistic approach. The starting point can be a simple document describing the roles of responsible officials. It should reflect an assessment of likely and consequential cyber risks the company faces. Inadvertent disclosure of sensitive information, lost equipment, unauthorized or improper use of company networks, and breach of company or customer data held by a third-party are among the most common problems. To develop a culture of cybersecurity, consider this policy to be a first step that evolves with the company.
2. Educate and Train Employees
Human error remains the greatest cyber vulnerability, and studies show that there is significant cost savings in preventing those errors and executing an efficient response and recovery plan. Programmers, data handlers, IT specialists, company executives, third-party businesses, and others make different kinds of mistakes that affect the company’s risk profile. Minimizing those vulnerabilities likewise requires different kinds of training and education. Ideally, companies form an integrated team of IT, HR, sales, operations, legal, and other professionals to discuss cybersecurity, develop employee training, ensure consistent guidance to employees, identify opportunities for formal cyber education, and rehearse the company’s response to various breaches.
3. Know the Law and Regulations
The cybersecurity field may be viewed as a collection of many interrelated sub-fields related to information security. The FAR and DFAR have long required contractors to implement information security controls. This year the work of a joint Defense Department, General Services Administration, and National Aeronautics and Space Administration effort is expected to result in a new government-wide set of basic security controls for contractors’ information systems. And in the privacy field many federal and state laws apply to disclosure of tax information, personal identifying information, health information, and other sensitive information. Companies working in or transmitting data to other countries may also be subject to international and foreign laws. Knowing how these laws affect business operations and future opportunities is an increasingly complex undertaking.
4. Consider Cyber Insurance
This field has developed significantly over the last five years. A cyber insurance policy is not right for every company, but it can be an important component of an enterprise risk managementprogram. Since there is still great variation in coverage and cost, scrutinize policies to consider what they may not cover—like breaches due to malicious software that is already on the company network when the policy is purchased. This is just one area where an integrated team of experts can help identify and implement the best business decision.
Maintaining the status quo in cybersecurity is an invitation to be the victim of rapidly evolving threats, particularly when companies hold valuable government information or other data. Government contractors have the opportunity to be ahead of the legal and regulatory curve by improving the company’s cyber hygiene and making cybersecurity a salient part of all business activities. Consider improvement to be a leadership issue from two perspectives. The first is that senior executives and board members must be savvy and engaged. The second is that every employee has a leadership role to fill as part of an effective, efficient team.
FH+H Counsel David Delaney focuses his practice on clients’ cyberspace needs. He advises on a wide range of business issues arising under international, federal, and state law, including data security, privacy, breach response, product development, contracts, internal policies, and regulatory compliance. Mr. Delaney can also advise officers and directors on strategic risk management, corporate governance, and leadership programs.
Contact him for more information or questions about cybersecurity.