What is the difference between privacy and cybersecurity? Privacy generally applies to an individual’s right to not have his or her personal information shared. Cybersecurity generally applies to the processes and technology in place to protect information that an organization maintains. You could say an organization’s cybersecurity processes help to meet its privacy obligations.
WealthForge is at the forefront of applying financial technology to provide greater efficiency for private capital markets. As with any financial institution, we process a lot of important, private information that needs to be protected. Therefore, we consider it an inherent responsibility to also be a leader in cybersecurity and privacy processes and technology. We recently attended Practicing Law Institute’s 18th Annual Institute on Privacy and Data Security Law in Chicago, and want to share some of what we learned along with our own experience.
Rather than cybersecurity specifically, I prefer to think of it as “information security,” because even the most high-tech organizations have information physically stored and have manual information processes in place. As we’ll discuss later, a good cyber/information security framework will consider privacy implications involved in the type of information it receives, uses, and stores.
We’ve previously reviewed some cybersecurity basics when it comes to spear phishing attacks and vulnerabilities related to employees, but today we are taking a higher-level look. Here are 4 ways to establish and maintain a successful cybersecurity program.
1. Take Inventory
Some organizations implement risk management meetings across all business units. However, from a cybersecurity and privacy standpoint, you will uncover key risk points by “data mapping.” This is an exercise to identify the types of data your organization keeps and where.
A comprehensive data mapping exercise will not only show where information is stored, but how it is transferred into, within, and out of the organization. The more sensitive the information (as dictated by whether privacy implications are involved and the information’s value to the company and its stakeholders), the more focus it should receive in an organization’s ongoing risk assessment process. In this way, your organization can objectively prioritize where it plans to take action.
Two important considerations for a data exercise:
2. Start with a Framework
Once you understand what data you have and how it flows, you need a plan to protect it. A framework is the base upon which an organization builds its entire cybersecurity and privacy approach. In certain industries, the framework your organization starts with will be dictated by regulations. Other companies will have more leeway with where to begin. If you don’t have a framework at all, at best, you will have an incohesive set of policies.
Common model frameworks are NIST (the National Institute of Standards and Technology) and ISO (International Organization of Standardization). Use aspects of a model framework that apply most to your organization, with its unique size, scope, number of employees, type of information used and processes. Be honest with yourself about how mature your organization is with respect to privacy and cybersecurity issues.
3. Iterate and Get Better
The framework is not solution to all problems but rather a tool to help address what otherwise might be complex, unmanageable cyber-risk issues.
Your framework should be a living, breathing, and dynamic part of your organization and its processes. Once your framework is in place, in whatever form it starts, the point is to use it, and change it, to make your organization better. As you conduct several months or quarters of your policies within the framework, you should make adjustments to better reflect how your business operates.
You may find it helpful to conduct regular meetings to assess risks, current risk mitigation steps, and plans to execute improved mitigation steps. In proceeding through these meetings in a systematic way and executing improvements between them, your organization’s framework will get better over time.
4. Practice Incident Response
A best practice is to conduct “desktop exercises,” by bringing together key internal stakeholders to practice certain aspects of operations within a cybersecurity framework, including disaster recovery and incident response plans. And, while finding the time to bring together the relevant personnel is easier said than done, it is essential to ensuring you are ready in the event of an actual cybersecurity incident.
A desktop exercise that can illuminate several issues that an organization may want to consider in conducting an individualized exercise includes the following:
The cybersecurity and privacy space is interesting because the laws and practices are fast-evolving and the issues are not going away. For the same reasons, it is easy to get overwhelmed. Use a framework and develop a system to address risk based on the type and scope of information your company touches. This way, you can more easily conceptualize and address the issues that apply to your unique business.
Disclaimer: WealthForge provides this information to our clients and other friends for educational purposes only. It should not be construed or relied upon as legal advice.
Want more private market insights and content?
Follow WealthForge on social media