Connecticut Cybersecurity Bill Highlights Importance of Compliance
With more internet-connected devices in the hands of more people, and a larger chunk of the workforce doing their 9-to-5 from home, cybercriminals have targets and opportunities like never before.
The state of Connecticut is responding to this tidal wave of cyberthreats with proposed legislation aimed at encouraging companies to increase their cybersecurity. In a nutshell, the proposed bill provides incentives for businesses to reach compliance with nationally recognized standards of cybersecurity.
In case of a breach, a compliant company would be shielded from legal liability stemming from a cyber attack. The bill was unanimously approved in the state House on May 20 and now moves to the state Senate.
Small- and medium-size business owners across the state have no doubt taken notice of the myriad stories of cyber attacks, ransomware demands and data breaches. It can be intimidating. You might think to yourself, "hey, I could be next." Or on the flipside, that there's no way that you're going to become an expert on cybersecurity before that happens.
Information security is my specialty. Helping businesses protect themselves from cyberattacks is what I’ve been doing for years. Naturally, becoming compliant with cybersecurity standards is something I would recommend 100 times out of 100. Now the state of Connecticut is aiming to provide even more incentive.
A necessary evil? You’re only half-right
For most companies, cybersecurity tends to be thought of as a cost center. To them, protecting data is an unnecessary cost of doing business and doesn't really drive the profit or the bottom line for the company.
Connecticut is looking to provide incentives for companies to do more to protect their data. To follow cybersecurity best practices should not be seen as just a cost, but as a benefit to the business, both short term and long term.
Proper cybersecurity doesn’t provide business owners with a tangible product to sell. You don’t make money directly by investing in cybersecurity. But not losing money — or data, or capabilities, or reputation — is just as important.
Investing in cybersecurity is prudent for any business owner; this bill adds another layer of protection in the form of a safety net.
Get the gist of NIST
There are a number of different cybersecurity frameworks out there. One of the most well understood, and probably most thorough, comes from NIST, the National Institute for Standards and Technology.
NIST actually has a few cybersecurity frameworks that point to best practices — depending on what your environment is for protecting your information — from a physical as well as data-driven or electronic view.
What Connecticut wants to do for local businesses is ensure that if they have these protections in place, their liability will be lowered in the event a cyber attack impacts their data or their ability to perform regular operations. That can be a huge cost savings, especially for a small business.
The Ponemon Institute releases an annual Cost of a Data Breach report. For 2020, the average was $3.86 million. In the United States, the most expensive country in the world in this category, that cost averages $8.64 million.
Reduce your cyber insurance premiums
By far the most common thing we see nowadays in the cybersecurity realm is ransomware. Criminals aren’t necessarily looking for information. For the most part, your average hacker or digital criminal is looking for money. Ransomware is an easy way for them to do that.
As a result, cyber insurance is a fast-growing industry that has risen to prominence by helping protect businesses against ransomware and the costs associated with it.
Mitigating the risks, by having the proper protections in place and being able to demonstrate best practices in cybersecurity, could have an impact on lowering the premium.
Proper security is an ongoing battle
It’s crucial to remember that compliance is the starting point. It checks the box. True security is an active, ongoing process. What are the threats, and how are they changing?
We all love when Windows says, “Hey, it's time to install patches,” and you know that your system is going to be offline for a couple of hours for updates. But those are critical.
They help to enhance your security posture, making sure that people only have access with their logins to the information that they need and nothing else.
It isn't just about putting one tool in and saying great, we're covered, we've done everything. We can set it and forget it. It’s not about establishing a framework, letting it sit for a few years and then scrambling to fix everything in anticipation of the next audit.
It's about having defense in depth, as we often say, or layers of security to stop different kinds of threats.
Continuous monitoring is about continually observing your environment, looking for threats, making sure that you're understanding what your business risk is, and adapting accordingly and putting the proper defenses in place that correlate to that.
In addition to consistently updating the defenses that are already in place, a lot of compliance frameworks can change as the threat vectors and the threat environment changes over time. But the principles are generally the same. There's always going to be new threats when there's new technology.
That continuous evolution means effective security is about continually monitoring those kinds of changes and those kinds of threats, and adapting to them, while still making sure that your business is able to succeed and get the best out of those new technologies.
Maintaining cybersecurity compliance allows your business to continue to evolve, both in the service it provides to customers and the peace of mind in knowing their information is safe because your company is reputable and reliable.
The stick and the carrot
There are two sides to compliance. There’s the stick: you need to do this or else there will be negative consequences. And there's the carrot: if you do this, then you're going to demonstrate yourself as a leader compared to your peers in the field.
Some companies make cybersecurity a priority, and the way they do it is by achieving top levels in that area. So when compared to their peers, they’re considered a business that goes above and beyond and is world class. That gives customers confidence. And reputation is money.
Especially in an era where data privacy is questionable, by giving your customers a better sense that their information is protected and that risk is minimized, they’re going to be more willing to spend money with your business.
A rising industry in which we're seeing more of this is companies that are developing software, websites, and anything e-commerce related. Customers like individuals have a strong interest in making sure our personal information is being protected.
If our identity is stolen or compromised, that can cost a lot of time and potentially a lot of money. We may not have the energy or the desire to clean that up every single time.
If we're working with companies who are taking protecting our private information and our identity very seriously, that's going to go a long way toward building trust.
Walk tall, and carry a big stick
President Biden issued an executive order directed at cybersecurity improvements across the country.
That action falls in the stick category, as opposed to the carrot, in the sense that companies need to improve their cybersecurity if they're going to be doing business with the federal government, or doing business across the country in a critical field such as the energy grid.
On the carrot side, a benefit of compliance is a business’ bottom line. After all, that's what most companies, especially most small businesses, are really interested in. Being the victim of a cyber attack is not cheap, but having the proper protocols in place is increasingly becoming worth the investment.
Companies with only a dozen employees may not have a dedicated IT person, but they may be incentivized to find people and bring them in house. They may also go out and find third-party consultants or managed service providers.
Either way, it provides more of an incentive to spend the money and really guard against that risk. If you lose critical information necessary for doing your business, you may not be in business anymore.
Regardless of whether this or any other bill passes or dies, there’s no reason to wait for the state or federal government to put up guardrails for you to start protecting your and your clients’ data.
Start on that process by downloading our free cybersecurity eBook that has 10 simple things your business can do to improve its cybersecurity posture.