Dan Smith, Zeguro co-founder and Forbes Technology Council member, explains how SMBs can protect themselves from the regulatory wave that is coming in his article, Data's Double Edge. (Reprinted as it originally ran on Forbes.com last month.)
[This article was originally published on Forbes.com, courtesy of its author, Dan Smith, co-founder of Zeguro and member of the Forbes Technology Council.]
Data is now truly everywhere, with “digital transformation” happening across every industry. All sizes of organizations are deploying software-as-a-service and all sorts of connected devices to manage multiple areas of business.
Running concurrently with this massive ingestion of ones and zeros is data policy, both in the European Union with the General Data Protection Regulation (GDPR) and, in the United States, with the California Consumer Privacy Act (CCPA), not to mention laws drafted in other states. If you are not already familiar with the GDPR and CCPA, the shortest way to describe these policies is that they are laws companies must adhere to in order to take reasonable data protection measures, safeguarding residents’ personal information.
You may have heard news stories that ran with headlines of fines levied against the likes of Marriott, Google and Facebook, but data affects much more of the American economy than the corporate and tech giants. In short, both because of the speed in which data is being ingested and because of the scattered approach to governing in our globally connected time, smaller businesses also need to treat data security as a top priority or risk going out of business.
While most small and midsize businesses (SMBs) cannot afford to hire dedicated security personnel and lack expertise needed to implement reliable solutions, the courts will uphold security laws regardless, putting responsibility firmly in the business leaders’ hands.
As the co-founder of a cybersecurity insurance company, my suggestion is to natively control and manage this aspect closely from inside your business. Go on the offensive with an integrated approach to cyber safety that addresses best practices through people, processes and technology, and make sure you are covered with proper insurance in the event of a breach.
SMB data security is imperative.
Today, the majority of small businesses in verticals like finance, health care and IT store customer and lead generation information, and possibly also use more sophisticated client service software linked to point-of-sale systems to personalize service and offer discounts in an effective and timely manner.
From the customer standpoint, we are faced with brutally efficient reward incentives and perfectly timed discounts -- thanks to sharing data. A study conducted by analytics firm SAS, which surveyed 525 U.S. adult consumers in 2018, found that, over the past few years, 73% of consumers have increased concerns about their personal data. However, we are often happy to make the sacrifice for the convenience it brings in these fast-paced times.
A millennial that woke up this morning in any major city in the United States could have visited a gym that registers its clients for classes through a mobile app, then met with friends afterward at a coffee shop, paying with a loyalty app -- and, because of the low-latency tech in modern 5G, already shared a wealth of revealing and sensitive info with the retailers. If Equifax and Marriott can be easily targeted and infiltrated by standard hacker playbooks, believe that your gym and neighborhood coffee chain can, too.
Because of this environment, and the speed of regulation matched only by the size of data ingestion, the risks of poor data management for small businesses are too numerous to list.
Awareness is only the first step.
The GDPR sparked a global conversation around data security, and I believe the CCPA will do wonders for getting data protection in front of customers through the news headlines it is likely to create. But make no mistake: The majority of small to midsized businesses are unprepared for the regulatory wave that is about to crash on their shores, not to mention the financial damage that could come from a data breach.
The same technologies you depend on to help your business grow (the internet of things, the cloud, web apps, etc.) are already subjecting you to new kinds of security threats; hence, data’s double edge.
What can you do to prepare and protect yourself?
SMBs have limited budgets, time and patience when it comes to understanding what they need to do to ensure their business is secure. But where should you start? And where should you deploy these precious funds in the best way?
Begin by identifying the four Ws:
1. What data does your organization store?
2. What regulatory requirements does your business face?
3. Who in or outside of the organization has the responsibility of cybersecurity for your organization?
4. What cybersecurity systems, tools and processes are currently in place?
This allows you to identify gaps in your cybersecurity program and to create a baseline picture of your current cybersecurity posture, people, process and technology landscape, and what business risks your organization faces.
Utilizing tested and trusted industry best practices and standards, your internal or external cybersecurity expert should be able to pair your current cybersecurity baseline with a roadmap of what your organization needs to do to achieve the desired maturity. If you’re working with an external partner, ensure that your day-to-day IT consulting firm has dedicated and experienced cybersecurity staff and resources.
What level should you be at? This is usually determined by a combination of what risk appetite the board and/or business leaders set based on business risks and what regulatory and compliance controls are being followed by the organization. For most SMBs, this usually means a program comprised of automated tools (automated vulnerability scanning, employee security awareness training, phishing simulations, next-gen endpoint protection, etc.), manual processes (security policies, manual penetration tests/bug bounty programs, data privacy/security audits of technology and your policies, etc.) and continuous and ongoing reporting to business stakeholders on how well the program is performing.
Today’s business climate, where breaches are impacting brands large and small, has created awareness among startups and other SMBs about the importance of cybersecurity best practices -- and this is a good thing. By following the steps I’ve outlined above, and respecting the regulations you must comply to within your industry, you can rest easy knowing that data will continue to improve your bottom line rather than leave your business without a lifeboat when the next wave hits.