Give Thanks
Cybersecurity and IT leaders are vital to every organization’s success. But they might also be burning out now, when you need them more than ever. 93% of security leaders say they’ve considered quitting their job due to the high stress and demands. Thank everyone who keeps your network and data safe!
A+ on Acronyms
Know which laws apply to your organization, whether it’s the OCPA, CCPA, GDPR, FERPA, or HIPAA. Once you ace your acronyms, it’s easier to decide how to prioritize your efforts.
It’s All personal
Privacy laws govern the use of “personal data,” which is broadly defined to include obvious identifiers, such as your name, and unique identifiers, such as cookie and device IDs. Do you know whether the data you are collecting on the internet is personal data?
Check on It
Do you know your requirements and what counts as “personal data”? Do you have an inventory. Do you know what categories of personal data you collect about customers, website visitors, applicants, employees, and business partners? Keep a data inventory to readily assess your risks. It can also come in handy for situations like a ransomware attack, in case you’re forced to weigh your options and determine your obligations.
Delete. Repeat.
Do you delete personal information you no longer need, to reduce cybersecurity risks and lower the cost of your next data breach? Yes, that’s right. It’s not an if, it’s a when! If you have personal data about former employees and their beneficiaries that could be used to obtain a driver’s license, consider implementing a data retention and deletion policy.
MFA for Days
Do you use multifactor authentication? According to Microsoft, more than 99.9% of compromised accounts don’t have MFA, which leaves them vulnerable to password spray, phishing, and password reuse.
CYA with IRP
A solid Incident Response Plan (IRP) can enable you to sleep easy at night. How will your leadership team communicate if your network is compromised? Do you know who to call if you incur a ransomware attack? Does your response team know how to use Attorney-Client Privilege and the Work Product Doctrine to reduce breach litigation risks?
Look Your Best
Have you updated your privacy statement recently? If you haven’t updated your privacy statement in the last year, it may be time for a makeover. A good-looking privacy statement is a great risk-mitigation tool.
GenAI Genius
By late 2024, nearly 40% of the U.S. population between 18 and 64 was using generative AI. As much as 23% of employed respondents had used it for work at least once in the preceding week, and 9% used it every work day. Do your employees know the guardrails? Do you have a GenAI policy?
Share Smartly
If you haven’t already, compile a list of third parties who have access to your data. It might include cloud service providers, marketing vendors, business partners, analytics companies, even staffing services. Do your agreements with these third parties limit their use of your data and impose sufficient security controls?
PIA Power
If you are subject to state privacy laws, most require you to complete Privacy Impact Assessments (PIA) for riskier data processing operations. What does your organization do with data that might require a PIA?
Fine-Tuned Templates
Under privacy laws, agreements that entail the exchange of personal data must include key privacy and security provisions. Have you updated your vendor agreements or sales templates lately?
Policy Savvy
Go find your cybersecurity insurance policy. Make yourself a cocktail. And get ready to go on a journey. What does your policy actually cover in the most common security breach scenarios?
Raise Awareness
Data protection is 24/7 and all hands on deck. Do all your employees have access to training materials and are on notice of the biggest risks?Do they know how to report privacy and security threats appropriately?
