Seeking to improve cyber security, a new Massachusetts law compels companies to limit systems access, train employees, install protective software and physically secure their computers.
The importance of cybersecurity goes far beyond individual and business needs. As recent cyber attacks demonstrate, the loss of sensitive information can put all of society at risk. Governments are thus becoming increasingly involved in online security, compelling individuals and organizations at every level of society to keep themselves safe from malware and hacks. A new Massachusetts law seeks to prevent cyber attacks throughout the state, requiring businesses that collect sensitive customer data to:
Defend Their Devices
Under the new law, companies must develop security strategies to keep their customers’ data safe. The key to such strategies is the adoption of advanced defense methods for computer systems. Companies must protect private information that they store with strong passwords, and should regularly change those passwords to minimize the risk that attackers will crack them. They also must protect the devices and networks that store that information with advanced firewalls and anti-malware software. Once firms put these security measures in place, they must monitor them actively and make regular updates, staying one step ahead of potential attackers.
Companies cannot allow employees to freely access their systems. Instead, they must strictly control access to different levels of information, limiting regular employees to generic data and features. Sensitive information should be accessible only to senior managers and to those who need it to do their jobs correctly. In addition to defending private data, companies must also limit who performs systems maintenance, downloads files, or transmits information on secure channels. If an employee with access to sensitive data leaves, firms should change their passwords immediately. Companies should also carefully vet all new hires to make sure they are trustworthy.
Even if employees have no malicious intent, they can still put a firm at risk inadvertently. The new law thus encourages companies to train their employees in proper safety and device hygiene methods, helping them avoid:
- Logging into sensitive systems from a public WiFi platform
- Visiting vulnerable sites from company equipment
- Sharing confidential information about the business, clients, or other employees over channels that are not secure
- Opening junk emails on company servers
Cyber security training should begin the moment employees are hired and continue throughout their careers. The better-educated workers are about cyber risks, the fewer avenues there will be for an attack.
In addition to calling for security software and employee safety measures, the law also highlights the importance of physical security. If attackers cannot hack your computers, they may break into the building to sabotage equipment or steal sensitive printed information. Locking your building, installing a security system, and placing hardware and sensitive points in secure locations all reduce these risks. You should also ensure your equipment against power surges and environmental hazards, lest weather and grid problems render your computer systems unusable.