Viewing archives for Management information

A CEO’s Guide to the New York Shield Act

Graeme Freeman, Co-founder and President of Freeman Clarke recently spoke with one of our Directors in NYC, James Sharp, about the NY Shield Act and what it means to mid-market CEOs.

This summary of their conversation forms a simple FAQ about the Act and its implications for ambitious CEOs.

What is the NY Shield Act?

Graeme Freeman: Jim, can you please start by giving a simple summary of the NY Shield Act?

James Sharp: Very simply, the law expands data security and breach notification requirements to cover any business that collects private employee and customer data of New York residents. The law requires businesses to implement and maintain reasonable safeguards to protect the security and integrity of private information.

Graeme: So, just to clarify, the law applies to any company in any state that stores data about residents of New York State.

Jim: That’s correct. It’s a law that exposes you to heavy fines regardless of where your business is based.

Graeme: And this law has been passed?

Jim: Yes, it’s live. All businesses needed to be compliant by March of 2020.

Graeme:  So what are the key points about the new law, and what does the CEO of a mid-market business need to do?

Jim: Well the key points are very simple. You need to take reasonable steps to protect private information and to report any breaches; this is not complicated. But the CEO isn’t going to configure the firewall, install the software and write the password policy. So the business question is: what steps should the CEO take to ensure his or her business doesn’t end up with a fine?

“The business question is: what leadership steps should the CEO take to ensure his or her business doesn’t end up with a ruined reputation and a disastrous fine?”

James Sharp, Regional Director, Freeman Clarke

What leadership steps should the CEO take?

Graeme: Right, so what are the CEO’s actions to get compliant with the NY Shield Act?

Jim: The first action is very simple: start by ensuring that roles are clear. At the very top, a single member of the Executive Team needs to have overall accountability and the senior leaders need to meet regularly, perhaps every quarter, to discuss corporate data security. If you don’t have the expertise in the organization to lead such a committee, then you need to get it.

Graeme: OK, that’s where we come in.

Jim: Correct!

 

Head-in-the-sand management?

Graeme: If the exec team haven’t really bought into this, how can the CEO galvanize them into action?

Jim: Well one good way to start is to get the team together to workshop scenarios. How might a security breach occur? How are we mitigating this? How would we respond? Most likely you will surface of lot of unanswered questions and a lot of “head in the sand management”.

Graeme: When you say “head in the sand management” you mean leaders in the business who don’t really understand this area so ignore it?

Jim: Yes! The members of the exec team are busy, under pressure, and they stick to what they know. Cybersecurity must be someone else’s problem.

 

Is this just a lot of paperwork to keep the lawyers happy?

Graeme: Once the roles are clear, what happens next?

Jim: To comply with the law you need to have a security plan consisting of corporate data policies and procedures regularly updated and published to the employees? And you need a comprehensive training program in place to support the knowledge transfer of the policy?

Graeme: Is this just a lot of paperwork to keep the lawyers happy?

Jim: If you just create a lot of paperwork, you’re doing it wrong, and you still won’t be secure. Time and time again CEOs believe their organization has a data security plan in place, but in reality the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously. Most breaches happen as a result of basic ignorance or people not caring.

“Time and time again CEO’s believe their organization has a data security plan in place but in realty the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously.”

James Sharp, Regional Director, Freeman Clarke

How to make cybersecurity planning genuinely valuable

Graeme: So how do you make this genuinely valuable rather than box ticking?

Jim: The policies need to be practical, the training needs to be engaging, and there needs to be a genuine leadership commitment to making this work. If people know the basics and take this seriously then you will very likely not have a breach – it’s as simple as that. Most hacking is not very sophisticated. If you get the basics right you will probably be OK. The thing is that most companies don’t.

Graeme: What are the basics?

Jim: You need visibility into how your company’s private data is being accessed, modified, moved and deleted as well as understanding who in the organization has access to it. These actions combined with a real time security system that allows the company to generate reports and notifies the appropriate people in the event of a breach are important actions to gain compliance to the Shield Act.

 

What are the 5 practical action steps a CEO needs their IT team to take to insure compliance to the NY Shield Act?

Graeme: What are the five practical action steps a CEO should take tomorrow to insure compliance to the NY Shield Act?

Jim:  Step 1 is Data discovery and classification. An organization can only protect their private data if they know what private data they have and where it is located. There are a number of commercial tools that will automatically discover and classify a wide range of personally identifiable information (PII), including social security numbers, driver’s license numbers, bank account details, passport numbers, and more.

Step 2 is Implement a data retention policy. Only collect and store private data if it is absolutely necessary. Organizations must ensure that they have a data retention policy in place which details what data they will collect, how, and for how long they will keep it. The policy should also include details about how data should be disposed of when it is no longer required.

Step 3 is Implement an access control policy. Organizations must have an access control policy in place, which determines who should have access to what data and why, and they will need to keep an up-to-date inventory of all access controls that are assigned.

Step 4 is Adopt a real time alerting platform. In addition to monitoring changes to access controls to protect against “privilege escalation”, organizations must also monitor all access to private data and make certain they have a notification alert system in place. If a user account is accessing private data in a way that is not typical for that particular user, a real-time alert should be sent to the relevant staff for immediate review.

Step 5 is Use an advanced reporting console. Most data security platforms provide an advanced reporting console, which enables administrators to quickly and effortlessly generate reports that can be sent to the supervisory authorities, as and when required. Most solutions provide a wide range of pre-defined reports that are customized to satisfy the relevant compliance requirements.

 

Cultural Change and Training

Graeme: How does the CEO make this important to the organization to ensure it actually happens?

Jim: Very simply, the CEO and all the senior leaders need to show by their own actions that this matters and to demonstrate compliance and good practice themselves. There needs to be training for everyone and they need to be seen to be committed and serious about this.

Graeme: And how does the CEO get independent assurance that this has all been done correctly?

Jim: The plan needs to include regular, perhaps annual, testing and assessment by independent professionals. And independent means not your existing MSP or the people who setup your security!

”Freeman Clarke Principals bring real life experience and leadership talent to help mid –market companies’ establish a strategy and insure it is executed properly”

James Sharp, Regional Director, Freeman Clarke

Midmarket Business Cybersecurity Crisis Planning

Graeme: And what does the CEO need to do about crisis planning?

Jim: You need a simple, flexible crisis management plan that is actually useful in the unlikely event it’s ever needed. The plan should focus on clarity about authority, escalation paths and the technologynical, legal, public relations and investor relations teams required for true crisis management.


In the meantime, see our Cyber Security and Compliance Knowledge Center


Freeman Clarke is the largest and most experienced team of C level IT leaders. Our team is available on a part-time basis to work with mid-market companies CEO’s to implement a “data security program” that includes all the administrative, physical and technologynical safeguards enumerated in the Shield Act.

How Mid-Market Businesses Can Recruit a Quality CTO

IT leaders who focus on software development and digital are often called Chief technologynology Officers, or CTOs. You’ll also hear Chief Digital Officer (CDO) and Chief Information Officer (CIO).

Whatever you call them, it’s getting harder for mid-market businesses to recruit a good one. Download our free CEO’s Briefing to learn:

What exactly does a CTO do?

Why are CTOs so hard to find?

Options for finding a CTO

Part-time or fractional CTOs

Freeman Clarke is the largest and most experienced team of part-time, or fractional, IT leaders. We work exclusively with organizations looking to use IT to grow their business. For an informal conversation, contact us and we’ll be in touch.

Bagging the benefits of BYOD

More and more people are using their own technologynology routinely for work, a trend that’s called Bring your Own Device (BYOD). For example, many use their own phones for work, or their own iPads, and some even bring their own laptops into the office as well.

BYOD works because people will use their own equipment when it suits them, whether it’s for the occasional evening email, or working from home for several days per week. It also works because many of the devices that people buy for themselves are better than what they get from the office. And staff will normally be more familiar and productive with their own devices.

The obvious opportunity for CEOs is to simply reduce their IT costs with BYOD. But many executives meet with resistance from their IT team or suppliers. To learn how to get past these challenges, and to seize the opportunity of BYOD, download the CEO’s briefing below:

This briefing looks at the Bring Your Own Device (BYOD) trend which is becoming increasingly popular. We drill into the concerns your IT department might have, the opportunity for reduced technologynical costs, improved productivity, reduced staff frustration, flexible working and capability to move business services to the cloud. We review the risks related to security such as what data should be accessible on personal devices, how data is stored, whether its secure and encrypted and the movement of data between devices. There are also impacts to the Finance and HR teams and their policies which are covered in this briefing.

If you found this post relevant you might also want to read our How to make working from homework briefing.

For any advice or if you’d like to discuss how these working initiatives could work successfully in your own business get in touch: contact@freemanclarke.com

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.

Graeme Freeman
Co-Founder and Director

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.

What is your current focus?

Find out how we can assist you.
We can help you.

What is your current focus?

Find out how we can assist you.
We can help you.