Issue link: https://nebusinessmedia.uberflip.com/i/1427549
27 HARTFORDBUSINESS.COM | NOVEMBER 15, 2021 FOCUS: CYBERSECURITY Expert's Corner Steps to safeguard your business The National Institute of Standards and Technology framework for improving cybersecurity infrastructure requires companies to: Identify: Before an attack, identify what data or systems are vulnerable or could be stolen. Protect: Safeguard data and systems with insurance and backups. Detect: Be aware of any anomalies in your systems to detect a cyberattack as quickly as possible. Respond: Take whatever action is necessary to stop the attack from continuing and contain the impact of the attack while managing communications with stakeholders like customers whose data may have been compromised. Recover: Restore the capabilities and services that were disrupted for your business during the attack. sized businesses, Freedman added, since they may have less experience navigating cybersecurity issues than larger firms, and can benefit from the guidance offered by preexisting standards. "What I like about it is they're not reinventing the wheel," said Tim Weber, director of security services for Rocky Hill-based IT company ADNET Technologies. "They're taking these other compliance standards and allowing organizations to pick which one makes the most sense for them." Using the analogy of carrots and sticks, Weber said Connecticut's method is less punitive than laws in other states. "In most states, it's the stick — you'll do this or you'll get in trouble," he said. "But in Connecticut they've positioned this as a safe harbor, which is appealing to companies." "It's very, very early," Weber added. "But for now I'm cautiously optimistic." Still, companies should be clear on what the law does and doesn't do, and as Freedman pointed out, the act does not grant complete protection from liability in data breach lawsuits. The language of the legislation, for instance, says nothing about prohibiting aggrieved parties from seeking compensatory or injunctive relief, Freedman noted, and the protection from punitive damages does not apply if "failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct." "The risk is that, if the company fails in a very extreme way, they wouldn't be protected from punitive damages," she said. Even with those limitations, however, experts see the law as a positive way of pushing companies to take cyber threats seriously, especially at a time when attacks from hackers based in Russia and other Eastern European countries are Every company should have a written IT policy that applies to all employees By Dave Bykowski A lmost every company has a set of policies and procedures in place, whether for employee conduct, safety, attendance or human resources functions, to name a few. But if a company doesn't have an IT policy in place, it's missing an important first step in improving productivity and guarding against cybersecurity threats. An effective IT policy establishes a foundational understanding for all employees on what is allowed or prohibited on the company's systems. This helps protect the company from potential litigation in the event of employee termination. It also improves productivity by setting standards for the most common regular IT functions. Plus, for most cybersecurity frameworks, it's a necessary requirement for maintaining compliance. Just like all corporate policies that apply to everyone, your IT policy needs to be clearly written out and easy for non-technical employees to comprehend. It must be able to be consistently applied to all employees, ranging from the newest hires to the highest executives. And it should be kept in a location accessible to every employee for easy reference. If you're just starting to create your company's IT policy and don't know where to begin, here are some topics to consider. Local access and remote access It's standard practice for every employee who needs to use a company computer to have their own user ID and password. A well-written access control policy will address who, if anyone, must approve the creation of an account for an employee. It also lays out the naming conventions used for creating user IDs, how long passwords must be and how often they must be changed, and what approvals are required for an employee to receive elevated or privileged forms of access. The issue of remote access is more important now than it's ever been. Is access allowed for all employees at all times, or are there limitations based on personnel, system functions or time frames? What company resources, such as a virtual private network (VPN) gateway, must be used in performing remote access? Another important aspect of remote access is whether employees are mandated to use company-issued hardware or, in certain limited circumstances, if they are allowed to use their personal devices for corporate network access. Software and application management It's often said in cybersecurity that you can't protect what you can't see, and this applies just as much to software as it does to hardware. To be able to maintain inventories of software running on their networks, both for licensing and security purposes, companies need to establish policies on which baseline software is, by default, installed on all systems and how products can be added to that baseline. Since most users on the corporate network will not have permission to install software, your IT policy should also consider who must approve requests from users for installation of new software products on the network and how these approvals are documented. When thinking about software policy, don't forget about rules for apps if you also have mobile devices under company control. Be sure to identify in your policy if certain app stores or marketplaces are company approved, including if your company has its own centrally-managed app marketplace. There are always exceptions You can have a well-written policy that covers everything clearly and consistently, but every once in a while something unexpected comes up. What if your maintenance policy simply doesn't work for a system that, for a certain period of time, can't take time off for updates? Here's where your policy on exceptions comes into play. Almost every rule has some good reason to be broken. Making sure your company has a policy on how users should submit requests for exceptions, and who approves or denies these requests, is essential to ensuring your company effectively balances cybersecurity and operational needs. Dave Bykowski is manager of information security and compliance at Glastonbury managed IT service provider Kelser Corp. Dave Bykowski temporarily crippling the operations of major corporations and extracting millions in cryptocurrency payments for the return or decryption of stolen data. "It's encouraging them to at least try to limit the effect of a security incident," Freedman said. Weber voiced a similar point, explaining that it will take a combination of incentives and policies to gradually strengthen the private sector's security posture. "The sophistication and pace of these attacks is only increasing," he said. "And for every major incident you see in the media, there's 100 other ones that don't get publicized. So my view is that anything that motivates companies to get in compliance — even if it's just a few, or one — is a good thing." Tim Weber