Although GDPR and 23 NYCRR Part 500 do not affect most small businesses in the US, there is mounting pressure from many sides urging businesses to take Cybersecurity more seriously. There are compelling Cybersecurity regulations already on the books for the defense, financial services, banking, and healthcare industries, but many businesses that are not in these sectors have been slow to adopt formal Cybersecurity programs. Consensus across the industry, however, is that it is only a matter of time until most states and/or the federal government impose requirements similar to 23 NYCRR Part 500 on all organizations.
Even if your business doesn’t fall under specific Cybersecurity regulations like the ones mentioned above, you are still expected to employ Responsible Systems Management. If you have a security breach or other Cybersecurity incident, the authorities and lawyers can’t claim that you were acting with “negligence” as long as you are making some legitimate effort to be a responsible corporate citizen.
At a minimum, you should have End User Security training, some basic policies and procedures documented, and current firewall and antivirus solutions in place. Unfortunately, many small businesses do not even have these basics covered, and they are leaving themselves wide open for attacks and the resulting consequences.
If you would like more information about how you can start taking some of the basic steps towards implementing a Cybersecurity program, please contact us.