In my Companyweb sharepoint I have setup a page that provides me with the headlines from about 25 blogs. These headlines make up my morning news. All of the blogs that I track are geared toward people like me supporting small business networks. Some are from Microsoft employees and product groups, others are by individuals. One of those individuals is Susan Bradley. She's a parnter in a CPA firm in Fresno, CA. She's also one of the top guns in Small Business Server. She's known as the SBS Diva, the patch-o-holic, she's a Microsoft Most Valuable Professional in Security and Small Business Server. She knows her stuff. We all do business in California in one way or another. So the laws that they pass in that state affect us whether we know it or not. The law they have that says that if your network isn't secured and is breached, then you must tell all of your clients about it within a certain number of days has been around for a couple of years. You might have received the notice from Wells Fargo a while back. If you have a client that lives in California, then you're doing business in California and are subject to this law. Now, as legislators do, they are looking to tighten up the law and make the penalties steeper. I found what Susan had to say interesting that thought you might to. So often we take for granted that what we have isn't of value to anyone but us and often it isn't. The spyware that gets into your computer and sends an email out to everyone in your contact list doesn't care what business your in, it just cares about being annoying. The hacker doesn't care if you've got top secrets on your network, he only cares about reaking havoc to the masses. Reality is that these guys aren't aiming at you but they can cost your company money and reputation. So here's a repost of her blog...take it away Susan. Oh, you should also know that Susan is known for swinging her 2x4 just be aware that her writing can be very direct. It's the general concept here that's important, not the specifics.
"The cost of doing nothing
SB 1744 Senate Bill - AMENDED:
Existing law requires any agency, or a person or business conducting business in California, which owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The bill would require that an agency or a person or business that has suffered a breach of the security of the system to provide 1 year of a credit monitoring service, as defined, without charge offer to pay the fees associated with placing a security freeze on consumer credit reports to each person whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The bill would require specified information to be included in the notice given to California residents pursuant to these provisions and would require a copy of these notices also be provided to the Office of Privacy Protection. The bill would also make technical changes to these provisions.
To me that's a bit bonechilling...but at the same time... there's a part of me that says maybe stuff like this is the key to get folks to wake up and start taking security seriously.... the next time one of your small businesses that handle names or credit card numbers or anything.. and either due to the fact that they cannot (vendors won't support encryption) or they don't want to take security seriously... quantify the costs of offering to every single one of their potentially affected clients or customers... a year's worth of credit monitoring service. Now then, now that you have THAT quantifiable cost stuck in your brain.. think about the stuff that doesn't have a price tag on it... unless you are in the Business valuation biz like I am.
Public Relations impact
Quantify those... quantify the value of your business... now then... are you.. RIGHT NOW...this very moment doing "good enough" security to ensure that you are taking reasonable security precautions to protect the valuable data you have? I know I'm not doing as much as I should and I could do more... I know my vendors (and I'm not talking Microsoft here..but CCH and Intuit) are definitely NOT doing enough to HELP me protect my clients data. I know that I need to do a better job of end user education. My gang know enough to ask me ..but I could do better here. I need to add remote control software and better management of home machines that connect to my network. They are just as much a part of the security fabric of my network. I want to do (I need to do) a better job controlling/filtering/protecting email. Even though sometimes I don't quite consider SPAM as a security risk.. the fact that it's an example of social engineering that's slithering it's way into my firm means I need to do more.
No, it's not law... but it's having a hearing in a few days.... and you know what... while there's a bit of a chill factor in reading that proposed law... it's hard to argue against it, isn't it? We do need to step up to the plate and do our part. And we're really not, are we?
So pay for security in your networks..a cost to ensure that "nothing bad happens" (as someone is apt to say in his speeches and book), or pay for it later... and at a much higher cost than you intended to....a real cost to your business.
Quantify doing nothing... absolutely nothing at all.... and soon you'll realize it has a much higher cost to your business than the price tag of "nothing bad happening"."