That Affect Nearly EVERY Small Business Operating Today
As former President Ronald Regan once said, the scariest words you’ll ever hear are,
“We’re from the government and here to help.” In this case, the government is trying to help by forcing nearly all businesses to implement and maintain a robust cyber security program to protect the customer information these companies host – not bad, and all businesses should take this seriously without the government mandating it.
Sadly, most small businesses don’t take cybersecurity seriously enough and believe they are doing enough to prevent a cyber-attack when they aren’t, which is why the government has to step in and create laws (the GLBA Act) to enforce better security protocols.
What Is The New FTC Gramm-Leach-Bliley Act Safeguards Rule, And Who Does It Apply To?
In April of 2022, the FTC issued a new publication entitled “FTC Safeguards Rule: What Your Business Needs to Know.” This was published as a “compliance guide” to ensure that all companies that fall under the Safeguards Rule maintain safeguards to protect the security of customer information.
While you might think your business is “too small” to need to comply or doesn’t hold any data “that a hacker would want,” you’ll be shocked to discover you are likely to be wrong on both fronts.
Hacking groups use automated bots to carry out their attacks randomly – and small businesses are their #1 target due to the gross negligence and inadequate protections they have. You are low-hanging fruit. That’s why it’s not only the obvious organizations, such as CPAs, financial institutions, and credit unions, that need to comply. Here’s a short list of a few organizations that fall under this new law. You should know that this is NOT a complete list:
· Printers that print checks or other financial documents.
· Automotive dealers who provide financing for car purchases.
· Any organization that accepts credit or loans for the goods and services they sell, whether or not the credit is granted.
· Companies that do tax preparation or credit counseling of any kind.
· Real estate settlements, services, or appraisals.
· Career counselors that provide services to people employed by or recently displaced from a financial organization.
As you can see, the companies that must comply are growing rapidly. The bottom line, if you handle any financial data or personally identifiable information, you must ensure you comply with these new standards.
What You Need To Do Now
The rule requires you to implement a “reasonable” information security program. But what does that mean? You need to designate a qualified individual to implement and supervise your IT security program – and you cannot outsource this. Yes, you can and should get a professional IT firm like us to guide you on the implementation, but the buck still stops with you.
The person you designate doesn’t have to have a background in IT or cyber security – but they will ensure your company takes reasonable precautions to comply with the new security standards.
Second, the Safeguards Rule requires you to conduct a risk assessment to initiate an effective security program. From there, you would work with your IT company (us!) to roll out a plan to secure and protect the data you have by putting in place access controls, encryption, data backups, 2FA, and several other protections.
Cyber security is not something you do once – it’s an ongoing protection effort as new threats evolve. If you want to see where your organization stands on cyber security, click here to sign up for a quick, easy, and completely free Cyber Security Risk Assessment. That is the first step toward complying and will give you the information you need about your security stance.