Close this search box.

How Security Awareness Training Can Help your Business Comply With the New York SHIELD Act.

City and bay skyline at night.
City and bay skyline at night.

Cybersecurity is a necessity for any business today. Organizations that handle private data such as financial or medical information have long been required to safeguard it. But now New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security”) is tightening the regulations for that security.

The act widened the definition of protected “private information” to include biometric, login, and financial data, and it also now includes unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information in the definition of a data breach that must be reported.

The SHIELD Act doesn’t just apply to New York businesses, either; it covers all employers and organizations that hold the information of a New York resident.

The final regulations of the act, which impose new data security requirements, went into full effect just last year, on March 21, 2020.

What This Means for Businesses

Because social security numbers are included in the updated list of protected information, every New York employer (plus many from other states) is now required to comply with the SHIELD Act.

Though the act does not detail specific safeguards, it does require businesses to create and follow a security plan. It outlines key elements that should be included as organizations “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

One of those now-required elements is training employees in security program practices and procedures.

This is a crucial step to any comprehensive cybersecurity plan, and one that we’ve always encouraged our clients to follow. Having a team that’s trained and prepared can save your company from unsavory and expensive cyber attacks. And now, such training is not only highly recommended, but legally required.

Employee Security Awareness Training

In an effort to comply with this act, it’s imperative that your company go under security awareness training. The purpose of security awareness training is to train employees on best security practices because software alone often isn’t enough to thwart cyberattacks and prevent data breaches.

High-quality cybersecurity training should include several areas of security awareness and practice, including email phishing training, testing and education, social engineering defense, and practice exercises.

Email Phishing Testing and Education

Phishing emails are malicious messages sent to your inbox imitating correspondence from a trusted source such as a friend, coworker, or business organization.

Their purpose is generally to manipulate you, the recipient, into clicking on a link or downloading an attachment that allows the hacker into your network. And they’re extremely common: 64% of organizations surveyed reported experiencing a phishing attack in the last year.

These attacks usually bypass firewalls and antiviruses, so employees need to act as the line of defense to stop them. But in order to do that, they need to be trained on how to recognize phishing emails and use safe cyber practices.

Our highly interactive, scenario-based training modules are designed to teach you and your team to recognize a malicious email before it can become a threat and understand the various ways in which attackers try to trick and allure users to sound off malicious events through email.

Additionally, simulated phishing tests allow you to test what you have learned in realistic scenarios. Other key practices to train your team on include ransomware awareness modules that teach you how to identify types of malware, signs of CEO fraud, safe web browsing, safe social media practices, and password security.

Social Engineering Defense

Social Engineering involves psychological manipulation that persuades someone to perform tasks or disclose information. This can include phishing emails, scam phone calls, USB baiting, and more.

To equip your company with the knowledge to identify key vulnerabilities related to social engineering attacks , you should undergo a cyber risk assessment and then take actionable steps to patch any vulnerabilities, whether software-, hardware-, or personnel-related.

Practice Exercises

Even with plenty of training, you don’t know just how prepared you are until an actual security incident. That’s why tabletop exercises can be invaluable in preparing teams for the event of a cybersecurity breach.

These exercises provide customized security awareness training using a tailor-made curriculum specific to your technology and environment. By walking your team through potential disaster scenarios step by step, you can ensure you have an efficient plan in place should a data breach or other catastrophe occur.

Comprehensive security awareness training can help you and your employees understand your technology, its weaknesses, and what you can do to maintain strong cybersecurity practices. And due to the now-effective SHIELD Act, it’s more important than ever to involve your whole team in your security practices and training.

If you’re struggling to understand the SHIELD Act or are unsure whether your organization meets the requirements, Corsica Technologies is here to help. Our dedicated security team can answer any questions you may have or can conduct a Security Posture Review to see where you stand. Please reach out to our team either here or call us at (877)367-9348

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

EDI in the supply chain - Corsica Technologies

Supply Chain EDI: What You Need To Know

EDI is the backbone of the supply chain. Without this technology, trading partners would have to rely on email, phone, or snail mail (gasp) to exchange business-critical documents. But EDI is complicated. There’s a lot to know, and it’s easy

Read more
Unlimited IT Support Services - Corsica Technologies

The End Of Metered Billing In Technology Services

Let’s be honest. When it comes to technology services, something is broken. Customers aren’t getting the consistency, responsiveness, and cost transparency they deserve. Meanwhile, MSPs (managed IT service providers) promise the moon with “all-in” pricing, yet they still allow tons

Read more
CPCSC - Canadian Program for Cyber Security Certification - Corsica Technologies

CPCSC For Canadian Defense Contractors: What We Know Today

With cybersecurity threats evolving rapidly, governments are taking steps to protect sensitive but unclassified information that they must share with their suppliers. This is a critical undertaking, as hackers can use sensitive information to inform their strategies—plus they can execute

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.