Page 127 - Cyber Defense eMagazine March 2024
P. 127

Companies are not required to share technical information about incidents or their responses to them.
            The rule allows for exceptions when reporting would jeopardize national security or public safety. The
            new  rule  also  requires  public  companies  to  annually  disclose  their  “cybersecurity  risk  management,
            strategy, and governance” practices in terms that a prospective investor could understand.




            Make clear, timely cybersecurity communication part of your culture

            In many organizations, cybersecurity operates behind the scenes or keeps a tight lid on disclosures to
            avoid oversharing information that could be misused in the wrong hands. Caution and discernment are
            always  important  when  discussing  security,  but  these  new  requirements  can  serve  as  a  prompt  for
            organizations to review their incident disclosure protocols and their communication guidelines for talking
            about incidents and security practices. Even if your organization isn’t required by law to comply with the
            new SEC rules, this approach can put your company in a better position to respond effectively when an
            incident occurs.



            Cybersecurity is increasingly everywhere

            With  so  many  of  our  work processes,  communications,  infrastructure  operations,  and  personal  lives
            taking place online, criminals have a nearly limitless list of potential ways to attack organizations. With
            scammers targeting everything from government databases and telecommunications networks to social
            media and retail customer rewards programs, it gets clearer every year that everything digital needs built-
            in security.



            Normalize thinking about security across the organization

            Many companies that are thriving in today’s economy are those that improve security for existing products
            or processes. That’s an indicator that organizations can benefit from reviewing their technology stacks,
            networks,  and  other  infrastructure  to  see  where  they  have  strong  security  and  where  it  needs
            improvement. It’s also a sign that everyone in the organization should be part of conversations about
            security at some level, including how to report concerns and what to do if there’s an incident.



            Embedding security in your company culture

            When your company’s employees and leaders are encouraged to think creatively about using technology
            like Gen AI for security, you’re more likely to develop new strategies to combat new threats, without
            waiting until there’s a crisis to react. When your company has policies in place for timely incident reporting
            and  easy-to-understand  security  practice  disclosures,  you’re  better  prepared  for  incidents  and  for
            inquiries from your board, potential investors, and other key stakeholders.








            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          127
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   122   123   124   125   126   127   128   129   130   131   132