How to Shield Your New Business Against Cyber Threats

Guest Post By Derek Goodman

If you’re thinking about starting a business, there are likely hundreds of things on your mind. While it’s important to consider what exactly it is you’re selling, who your target audience is, and how you’re going to get your first customers, don’t forget about cybersecurity. Shielding your business from security threats is one of the best ways to ensure your long-term success. In this article, The Cyber Resilience Institute shares everything you need to know to protect your new business from cyber attacks.

Why You Should Care About Cybersecurity

Is cybersecurity really a priority right now? Do small businesses even need to worry about cyber attacks? The answer to both of these questions is a resounding yes! Small businesses are frequent victims of cyber security threats. According to PR Newswire, approximately 43% of cyber attacks target small businesses. What’s more, over half of all small businesses that experience a cyber attack go out of business within just 6 months. As cyber breaches continue to increase alongside an increasing reliance on digital data storage, small businesses cannot be too careful.

Avoiding cyber threats should be one of your top priorities as you work to get your business off the ground. Once you understand how simple cybersecurity upgrades can save businesses from bankruptcy, you might even want to start your own cybersecurity business!

Protect Your Business Hardware

To get started, make sure each and every one of your business devices is protected from digital attacks. This includes computers, USB drives, servers, and mobile devices. Too many business owners focus on securing their online data but overlook company hardware. The loss or theft of business hardware can give anyone access to your sensitive business information. Make sure all hardware is protected with a strong password. Be sure to also use antivirus software and firewalls to keep potential hackers from accessing your devices via your internet connection. With a simple online search, you can find many cost-effective solutions well-suited to the needs of your business.

Encrypt and Backup Data

Even with strong prevention systems in place, you must be prepared for a data breach. Be sure to encrypt your data so that hackers cannot use it, even if they gain access to your servers. SealPath explains that data encryption should be used for any data that is related to compliance with regulations or business agreements. You should also encrypt any data that could harm customers or contains intellectual property that would be valuable to your competitors. Make it as easy as possible for people at your organization to encrypt sensitive data. For example, you can automate the encryption of data that are stored in certain folders on file servers or cloud applications like Dropbox.

Implement a Recovery Plan

Encrypting your data will help prevent hackers from selling it or threatening to release it to the public unless you pay a ransom. But if your data is lost or frozen in an attack, you won’t be able to get your business up and running until you recover it. Data recovery is essential in any cyber security data protection plan. Establish a recovery plan now so you can restore lost or stolen data as quickly as possible. An effective data recovery plan will include information about the applications you need to recover first as well as the individuals at your organization who will be involved in these recovery efforts.

Encourage Your Employees to Care About Security

Your employees are your first line of defense against security threats. At the same time, your employees are your largest security vulnerability. Encourage them to care about the security of your business data by starting cyber awareness during your employee onboarding. Building the cybersecurity mindset in your employees from day one will set the stage for their continuous engagement in your cybersecurity plan. After this, keep an open line of communication with your staff to ensure everyone knows about updates and changes to your cybersecurity defense.

The importance of cybersecurity cannot be understated. By implementing good cybersecurity practices at your business, you can be prepared for any cyber threats thrown at you. Take preventative action now so you can ensure the long-term viability of your business!

It’s Precedent — The Human Body is Subject to Property Law, which Enables a Digital DNA Right

By: Doug DePeppe, Esq.

The ramifications of the premise are of course transformative — imagine if all data associated with a person were owned by that person! It would substantially disrupt the data-driven ecosystems of Silicon Valley (and everywhere else). More importantly, individuals would regain control over their digital identity.

HEY! THAT’S MY FINGER

Since the premise starts with one’s power over his own personhood, let’s consider ownership of body parts. I was once told a couple of old stories about human appendages. In the first story, a woman lost her wooden leg during a flash flood. Some weeks later, the wooden prosthetic was located, but had been put to use at a saloon to steady a table. Confronted with the ownership claim by the woman and her husband, the saloon owner readily returned the property to its rightful owner.

This story is hardly surprising, as a wooden leg is easily understood as something that would have rights of ownership attached to it. Accordingly, leaving aside any human ethics or common courtesy recognition by the saloon owner when confronted by a one-legged woman demanding return of her leg, it also would have been readily appreciated that a found prosthetic belonged to someone else. And so, as a sign of respect for the notion of property ownership, the saloon keeper gave it back.

The other story involves a severed pinky. At a construction site, an accident led to the loss of limb; and while the victim was rushed to a doctor, a fellow worker retrieved the pinky and ice-packed it. Shortly thereafter, in another show of respect for ownership of a body part, the pinky was returned to its rightful owner.

Respect for ownership of one’s own body parts is usually a straightforward proposition. However, the advances of science and bio-medicine have created some complexity around the ownership question in certain use cases. Yet, the core issue of having ownership and decision rights regarding one’s own being remains sacrosanct. In an important medical research article into the ownership of human biological materials, Carlo Petrini revealed the evolution of the law. His research is briefly explored here to illustrate that the law uniformly respects ownership over one’s identity.

BODY PARTS CAN BE PROPERTY

In an article for the National Center for Biotechnology Information, and published in the National Library of Medicine, under the National Institutes of Health (NIH), Carlo Petrini surveyed the ownership question, first observing:

[The question is complex concerning] a person’s ownership of his or her own body [with] an ample output of literature, including the philosopher John Locke, according to whom, “every man has a property in his own person.” Other philosophers have proposed a different angle, which Stephen Munzer summed up in the phrase “persons do not own their own bodies but […] they do have limited property rights in them.”

Petrini immediately begins exploring the reach of those “limited property rights” because his focus, writing for the biomedical community, is to reveal the teachings of the law arising from the outer edges of biomedical research. At the outset, he also readily acknowledges that the “management of biological material (cells and tissues) requires a number of considerations, including technical–scientific, organizational, ethical, and legal.” For this writing, I note that his research is equally useful for a data science use case, and the question of how far property law might go arising from one’s digital identity.

Petrini reviews legal disputes from Australia and England involving the claimed property rights associated with body parts. However, each legal dispute derived from the body parts of a deceased corpse. In the England case, the court observed:

We return to the first question, that is to say whether or not a corpse or part of a corpse is property. We accept that, however questionable the historical origins of the principle, it has now been the common law for 150 years at least that neither a corpse, nor parts of a corpse, are in themselves and without more capable of being property protected by rights.

* * *

[However, b]ecause the parts had been the object of “skilled work” of a previous generation of surgeons, they could be considered the property of the Royal College of Surgeons.[1]

The English court adopted the reasoning of a 1908 Australian case[2], which involved scientific research, in a laboratory, regarding a two-headed fetus. The Australian court had observed that the research conducted had been “the lawful exercise of work or skill so […] that it has acquired some attributes differentiating it from a mere corpse awaiting burial.” In other words, whereas a corpse can never be property under the law, both courts were willing to extend a property right onto body parts which had been subjected to a lawful use of skill, and in such a manner that the body part could no longer be considered a corpse or part of a corpse.

Finally, Petrini cites to AB and Others v Leeds Teaching Hospital NHS Trust[3], which concerned the preservation of organs, and in which the English High Court declared in 2004:

In my judgement the principle that part of a body may acquire the character of property which can be the subject of rights of possession and ownership is now part of our law.[4]

Ending his survey of jurisprudence on the question of property rights arising from body parts, Petrini concludes:

It is generally recognized that once the biological material has been removed from the donor, the recipient acquires the right to possession and use, regardless of whether he or she is also the owner. In the event the recipient has also processed the material in some way, he or she acquires an additional series of rights, including, at least in some cases, a right of ownership.[5]

The foremost point to draw from Petrini’s analysis is that human body parts, which are indelibly linked with one’s identity, have indeed been viewed and treated within a property right framework. But equally important is to contrast that Petrini’s research involved a third party’s claims concerning body parts, not the claims of a person seeking to recover ownership of his own identity. That is, the severed pinky claimant faces a relatively miniscule legal and ethical challenge to reclaim a facet of his humanity, than a medical researcher dealing with a body part from a deceased organ donor. Indeed, Petrini points to the Universal Declaration of Human Rights at the outset of his article to draw upon the broad principles of humanity that form the foundation of certain human rights.

WHAT IS THE REACH OF PROPERTY LAW RELATED TO DATA AND IDENTITY?

According to the court in Leeds Teaching Hospital NHS Trust, the test is whether an aspect of one’s identity may acquire the character of property”. Some might argue that the focus of the court’s analysis was whether a body part could acquire the character of property, and that the court was not analyzing data. However, data derived from a person is less troubling when framed as a property issue than with a body part. Two examples of the unquestioned property protections afforded to personal data involve Name, Image, Likeness (NIL) rights, and the relentless trademark protective efforts surrounding Marilyn Monroe’s iconic digital images. Data is unquestionably property which can be protected under intellectual property law. Yet, digital identity is a broader idea. It involves all the data elements derived from human interaction with the Internet. Moreover, this data is incredibly invasive of one’s identity and privacy, as revealed in my earlier article when I addressed the U.S. Supreme Court’s recognition in Riley v. California[6] of the extensive amount of personal information contained on the ordinary smartphone. Digital identity is nevertheless data, and data is property. The only open question is how comprehensive one’s rights are to data concerning oneself?

The law around human rights is broad and encompasses digital identity. The Universal Declaration of Human Rights adopts a robust view of human rights which include the right of personality, the right of dignity, the right of immunity of the person, and several other protections that derive from an individual’s uniqueness as a human being. This universal authority provides the nexus between data and a person’s humanity. This nexus is also shown from the commodification of privacy data, human behavior tracking, and other personal identity features of data-centric Internet enterprises. As Scott McNealy infamously declared about the Internet: “You have zero privacy anyway. Get over it.” That is to say: the Internet already treats personal data as property, except that the ownership of it has been claimed by companies.

BUT IT’S MY PROPERTY, I OWN MY DATA, AND I CAN TAKE BACK MY DIGITAL IDENTITY

Scott McNealy may have been largely correct on privacy grounds. But data undoubtedly “may acquire the character of property”. Indeed, data is property. NIL is undoubtedly property; but, so is tracking data, and other data captured from one’s interaction with Internet technologies. That’s because Big Tech monetizes individual data; and in so doing, it treats data acquired from the individual as a property it proceeds to monetize. Indeed, there is a sequel to the McNealy quote, which itself is a truism that demonstrates the point:

If you’re not paying for the product; you ARE the product!

The current state of the Internet and the businesses that commoditize and profit off personal data is both disruptive to society and violative of human dignity. In the prior article, I introduced Digital Identity Sovereignty™, which is the notion and the practice of recovering individual data rights through property law. The premise of adopting property law to protect one’s Digital DNA is sound, as illustrated above. More work is needed around the framework and practice of Digital Identity Sovereignty™, to improve its foundation, to demonstrate Use Cases, to develop and incorporate technology, and to socialize it and encourage early adopters. But, when disputes around body parts have historically been redressed under property law, there should be no hesitation to adopt property law mechanisms to enforce one’s universal rights around digital identity.

About Digital Identity Sovereignty™: The research, technology development and integration, professional practice methods, and Use Case experiences are being developed by a group of partnerships, including eosedge Legal, the CyberJurist NetworkOnCall CyberCTINFBCSports-ISAOCyber Resilience Institute, and a growing list of collaborators, academics, and privacy advocates.

[1] Id., citing R v Kelly & Lindsay, Q.B. 621 (1999).

[2] Id., citing Doodeward v Spence, 6 CLR 406 (1908).

[3] High Court of Justice. AB and Ors v Leeds Teaching Hospital NHS Trust. Court of Appeal — Queen’s Bench Division; Mar 26, 2004.

[4] Id.

[5] Id., (Petrini article).

[6] Riley v. California, 573 U.S. 373 (2014)


This post is a reprint from: https://medium.com/@depepped44/its-precedent-the-human-body-is-subject-to-property-law-which-enables-a-digital-dna-right-cc9769c7c66d

Used with permission.

Comparing the Roles of the CISO vs. the CSO

Guest Post by Dhvani Patel

As companies mature their security practices they often hire both a Chief Information Security Officer (CISO) and a Chief Security Officer.  This essay outlines the typical roles and responsibilities of each.

CISO

The CISO is the executive personnel responsible for an organization’s data and information security. Recently, the role of CISO is gaining popularity as a corporate position whose role is to protect against information security risks. The role was created to help organizations protect their digital assets including computer systems and networks from hackers and other cyber threats. The CISO works along with other c-level positions, business managers, the security team and information technology (IT) managers to effectively monitor and maintain the security of the company’s computers, networks, applications, and databases.

The CISO’s primary responsibility is to have an understanding of security operations and challenges in current and future states of the organization’s business operations. In order to make effective business decisions, the CISO will need to have an in-depth knowledge of the organization’s operations, functions, and  business disciplines like human resources (HR), compliance, and finance. The CISO is responsible for overseeing the security operations and duties includes evaluating the IT threat landscape, developing cyber security policy and controls to reduce the risk, auditing and compliance initiatives. He or she performs real-time analysis of immediate threats and triages threats when something goes wrong.

The CISO is also responsible for disaster recovery. Duties include developing cyber resiliency programs so the organization can rapidly recovery from natural disasters such as flooding, earthquake, hurricane, hacking, or security incidents. He or she determines what went wrong if there is a breach, and deals with those who are responsible (if they are internal). He or she develops the plan for avoiding a repeat of incident/crisis. The CISO is responsible for developing and maintaining various security policy domains that are associated with information security, compliance, governance, risk management, incident management, HR management and many more. The CISO is responsible for ensuring that the organization is adjusting to changing/growing compliance regulations.

CISOs are required to have at least a bachelor’s degree in security, IT, computer science or a related field with seven to twelve years of related experience and at least five years of experience in a management role. The CISO should have technical skills and should be familiar with various industry standards and frameworks like SOX, HIPAA, PCI, NIST etc. In addition to the bachelor’s degree, a CISO is typically required to maintain certification like CISSP, CISM, or CISA.  The CISO should have skills like management, communication, leadership and many more. The median annual salary for CISO is $164,000 with the lowest 10% and $229,000 with highest 10%.

CSO

The CSO is the executive in charge of the security of personnel, physical assets, and information and data in both and physical and digital form. The CSO is a member of an organization’s upper management team and works with both security, and the IT team. According to the article on Investopedia.com, the CSO is responsible for developing and overseeing policies and programs used in the mitigation and/or reduction of compliance, operational, strategic, and financial security risk strategies relating to the personnel/staff, any assets, and other property. The CSO is responsible for leading risk management activities and overseeing strategies to assess and mitigate risk, thereby safeguarding the organization and its assets. The CSO is responsible for developing, implementing, and maintaining security policies and processes, identifying and reducing security risks, and limiting liability. He or she oversees network security architectures, network access and monitoring policies, security education, training, and awareness programs. CSOs are responsible for making sure that the organization is in compliance with local, national, and global regulations. They are responsible for conducting independent security audits, especially in areas such as privacy, health, and safety.  A CSO is responsible for conducting research and implementing security management solutions to help keep the organization and its assets and information safe. A CSO is responsible for overseeing incident response planning and investigating any security incidents and breaches and assisting with disciplinary and legal actions.

CSOs are required to have bachelor’s degree in cyber security, IT, computer science or a related field as well as maintain cyber security certifications. In addition to the bachelor’s degree and certifications, they should have also have at least seven years of experience. CSOs should have a technical background and a proven track record in both technical and functional areas  in security.  They should have some experience with tools and systems like identity access management and threat intelligence, security information and event management (SEIM) endpoint protection, audit logging and monitoring. They should have a high level understanding of compliance and risks. CSO should have knowledge of contracts management for overseeing the quality of security vendors.  Therefore,  good communication skills are a must. They should have management and leadership skills as well. The average salary of CSO is $148,00.

References:

  1. Fruhlinger, “What is a CISO? Responsibilities and requirements for this vital role,” CSO Online, 01-Apr-2021. [Online]. Available: https://www.csoonline.com/article/3332026/what-is-a-ciso-responsibilities-and-requirements-for-this-vital-leadership-role.html. [Accessed: 26-Apr-2021].
  2. Kenton, “Chief Security Officer (CSO),” Investopedia, 17-Feb-2021. [Online]. Available: https://www.investopedia.com/terms/c/cso.asp#:~:text=The%20CSO%20is%20responsible%20for%20executing%20and%20overseeing%2C%20among%20others,and%20its%20assets%2C%20crisis%20management. [Accessed: 26-Apr-2021].
  3. Western Governors University, “CISO Job Description And Outlook,” Western Governors University, 11-Dec-2020. [Online]. Available: https://www.wgu.edu/blog/ciso-job-description-outlook2012.html#close. [Accessed: 26-Apr-2021].
  4. “What is a Chief Security Officer (CSO)?,” University of San Diego, 08-Nov-2018. [Online]. Available: https://onlinedegrees.sandiego.edu/what-is-a-chief-security-officer-high-demand-skyrocketing-pay-for-csos/#:~:text=Chief%20Security%20Officer%3A%20Job%20Duties%20and%20Responsibilities&text=Manage%20the%20development%20and%20implementation,education%20and%20awareness%2C%20and%20more. [Accessed: 26-Apr-2021].