by Al Alper
Why? Three strong reasons. One: any business that reports to the New York State Department of Financial Services (DFS) is now required to be in compliance with the new cybersecurity regulation, 23 NYCRR 500. Two: although Reason One may not apply because a) your organization is not based in New York and/or b) your business does not report to New York State’s Department of Financial Services, chances are these cybersecurity regulations are going to be examined and looked at by other states and industries in the not-too-distant future – in fact we know of several states currently reviewing it in committee, and it’s always better to be ahead of the curve whenever possible. And Three: effective cybersecurity just makes good business sense.
By now, most organizations that fall under the oversight of the New York DFS know that they need to up their cybersecurity game, if they haven’t already. Enacted as of March 1, New York has granted organizations a six-month transitional period before they are required to demonstrate compliance on August 28th with the first round of requirements, with additional checkpoints at one year, 18 months, and two years out. Boiled down, these requirements include establishing a cybersecurity program, developing cybersecurity policies, identifying a Chief Information Security Officer responsible for making sure private information is protected, conducting penetration testing and vulnerability assessments, establishing an audit trail, determining access privileges, implementing application security, conducting risk assessments, identifying cybersecurity personnel and intelligence, developing a third-party service provider security policy, implementing multi-factor authentication, devising limitations on data retention, establishing training and monitoring programs, ensuring the encryption of nonpublic information, readying an incident response plan, and following through on notices to the superintendent.
That said, most, if not all, manufacturers do not fall under the oversight of the New York DFS, so why worry? Reasons Two and Three go hand in hand – other industries in other states are looking at the efforts of New York State, in part because a lack of cybersecurity can have dramatic and destructive effects for the company, and for anyone (clients, vendors, employees) associated with it.
And, as businesses in virtually every industry face new and more sophisticated threats from cyber criminals, manufacturers that take action now will not only be ready for mandated compliance requirements if and when they do take effect, but will also be taking steps to protect the valuable information stored within the electronic files of the company, which is not only good business sense but also potentially a market differentiator, especially if your company is one of the first to really tackle these initiatives.
Any business can go online to look at the specific requirements laid out under 23 NYCRR, but few will be able to ensure compliance with these or similar regulations on their own. By understanding their internal IT capabilities and assessing their vulnerabilities, companies will be able to move forward from there to determine how best to safeguard their technology. Operators of smaller companies with no current internal IT capabilities should look to partner with an IT security provider familiar with the new regulations and offering a turnkey solution with a package of services that meet these requirements. Manufacturers with some internal or outsourced IT capability might need to work with an IT security provider that can ensure all facets of compliance. And for those larger companies with established internal IT departments, an a la carte approach may make the most sense.
Especially for manufacturers who do not fall under specific compliance requirements at this time, a proactive approach to cybersecurity efforts may prove most effective. By understanding the current and potentially evolving threats that are out there, determining what within your business needs protecting, auditing your current technology protection, and then supplementing as needed, a manufacturer is best positioned to ward off and address any threats meant to infiltrate their technological troves.
Most of the cybersecurity requirements set forth in the new New York regulations are really just best practices for any organization, that aren’t terribly expensive or difficult to employ. A qualified IT or technology security company can help manufacturers to put them in place quickly and easily.
Manufacturers are always looking for ways to stand out from their competitors. If a manufacturing company experiences a cybersecurity breach, they will achieve this differentiating quality, but not in the way they planned – and definitely not in any kind of beneficial way. Better for them to be ahead of the cybersecurity curve by ensuring more protection, and demonstrating themselves as a trusted partner in the process.
Al Alper is CEO and Founder of Absolute Logic (www.absolutelogic.com), which since 1991 has been providing Fortune 500-style technical support, security services and technology consulting to businesses of up to 250 employees within Connecticut and New York. Al is also a national speaker on IT and security issues and has authored the popular books, REVEALED! The Secrets to Hiring the Right Computer Consultant and REVEALED! The Secrets to Protecting Yourself from Cyber-Criminals. He can be contacted at al.alper@absolutelogic.com or (855) 255-1550.
Patti Jo Rosenthal chats about her role as Manager of K-12 STEM Education Programs at ASME where she drives nationally scaled STEM education initiatives, building pathways that foster equitable access to engineering education assets and fosters curiosity vital to “thinking like an engineer.”