Cybersecurity is a necessity for any business today. Organizations that handle private data such as financial or medical information have long been required to safeguard it. But now New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security”) is tightening the regulations for that security.
The act widened the definition of protected “private information” to include more biometric, login, and financial data, and it also now includes unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information in the definition of a data breach that must be reported.
The SHIELD Act doesn’t just apply to New York businesses, either; it covers all employers and organizations that hold the information of a New York resident.
The final regulations of the act, which impose new data security requirements, went into full effect just this year, on March 21, 2020.
What This Means for Businesses
Because social security numbers are included in the updated list of protected information, every New York employer (plus many from other states) is now required to comply with the SHIELD Act.
Though the act does not detail specific safeguards, it does require businesses to create and follow a security plan. It outlines key elements that should be included as organizations “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
One of those now-required elements is training employees in security program practices and procedures.
This is a crucial step to any comprehensive cybersecurity plan, and one that we’ve always encouraged our clients to follow. Having a team that’s trained and prepared can save your company from unsavory and expensive cyber attacks. And now, such training is not only highly recommended, but legally required.
Employee Security Awareness Training
In an effort to comply with this act, it’s imperative that your company go under security awareness training. The purpose of security awareness training is to train employees on security practices because software alone often isn’t enough to thwart cyberattacks and prevent data breaches.
High-quality cybersecurity training should include several areas of security awareness and practice, including email phishing testing and education, social engineering defense, and practice exercises.
Email Phishing Testing and Education
Phishing emails are malicious messages sent to your inbox imitating correspondence from a trusted source such as a friend, coworker, or business organization.
Their purpose is generally to manipulate you, the recipient, into clicking on a link or downloading an attachment that allows the hacker into your network. And they’re extremely common: 64% of organizations surveyed reported experiencing a phishing attack in the last year.
These attacks usually bypass firewalls and antiviruses, so employees need to act as the line of defense to stop them. But in order to do that, they need to be trained on how to recognize phishing emails and use safe cyber practices.
Our highly interactive, scenario-based training modules are designed to teach you and your team to recognize a malicious email before it can become a threat and understand the various ways in which attackers try to trick and allure users to sound off malicious events through email.
Additionally, simulated phishing tests allow you to test what you have learned in realistic scenarios. Other key practices to train your team on include ransomware awareness modules that teach you how to identify types of malware, signs of CEO fraud, safe web browsing, safe social media practices, and password security.
Social Engineering Defense
Social Engineering involves psychological manipulation that persuades someone to perform tasks or disclose information. This can include phishing emails, scam phone calls, USB baiting, and more.
To equip your company with the knowledge to identify key vulnerabilities related to social engineering attacks , you should undergo a cyber risk assessment and then take actionable steps to patch any vulnerabilities, whether software-, hardware-, or personnel-related.
Even with plenty of training, you don’t know just how prepared you are until an actual security incident. That’s why tabletop exercises can be invaluable in preparing teams for the event of a cybersecurity breach.
These exercises provide customized security awareness training using a tailor-made curriculum specific to your technology and environment. By walking your team through potential disaster scenarios step by step, you can ensure you have an efficient plan in place should a data breach or other catastrophe occur.
Comprehensive security awareness training can help you and your employees understand your technology, its weaknesses, and what you can do to maintain strong cybersecurity practices. And due to the now-effective SHIELD Act, it’s more important than ever to involve your whole team in your security practices and training.
If you’re struggling to understand the SHIELD Act or are unsure whether your organization meets the requirements, Corsica Technologies is here to help. Our dedicated security team can answer any questions you may have or can conduct a Security Posture Review to see where you stand. Please reach out to our team either here or call us at (877) 659-2261.