In Part 1 of our "celebration" of Data Privacy/Data Protection Day—January 28—we told about the origins of and current day significance of this event. And we began our exploration of the important differences between data privacy and data protection.

We concluded Part 1 with: Protecting privacy (outside of Europe, at least) doesn’t typically have a codified role or department in many small to medium-size organizations. Consider this data from the US Privacy Shield program: Of the 6,000 organizations registered as of 2020, the largest percentage of data privacy points of contact listed were in the legal department (15.8%). Only 7.7% of the companies listed had a specific Information Security function, and in some cases, the privacy protection duties fell to Sales, HR, Marketing, or an admin function in the organization.

Let’s continue.

Protecting data privacy is not the same as protecting the data itself. 

Protecting data is a cybersecurity concern that typically falls under an organization’s Information Technology (IT) function. But many small- and medium-size organizations place the responsibilities for cybersecurity under the section of the job title that reads “other duties as assigned.” The reality is that most SMBs don’t have the resources, understanding, and commitment to data protection that is necessary to ensure they have minimized their risk of breaches and data theft.

Cybersecurity: Where to Begin

Most CTOs, IT directors, and even CEOs will understand what they have to lose if they are breached or compromised. But it can still be difficult to get the budget, training, awareness, and commitment to achieve true cybersecurity. Here’s where to start:

1. Know where you are today. 

It is unlikely that the CEO is going to magically approve a CISO (Chief Information Security Officer) role within the organization and then sign off on a budget for that newly minted CISO to hire a team. The price tag is simply too high for most SMBs. But it is likely that they are worried about their systems and security. An audit of existing systems creates an opportunity to discover where the real risks lie and how critical they are. It also helps create a path for a better, more mature cybersecurity practice within the organization.

2. Know the value of protecting your data. 

According to a Cisco report on data protection and privacy, mature organizations saw the following benefits of a holistic cyber risk management plan:

  • Reduced sales delays
  • Mitigated losses from breaches
  • Increased innovation enablement
  • Achieving/Increasing operational efficiency
  • Increased buyer loyalty and trust
  • Increased attractiveness to investors (this is the one your CEO needs to see!)

3. Consider a virtual Chief Information Security Officer (vCISO). 

CISOs can be an expensive hire, commanding top dollar for most industries and difficult to recruit for and fill. Despite the challenges in finding the right candidate, most CISOs last approximately 18 months before moving on to their next role. And the reality of most SMBs is that their technology staff is too busy putting out day-to-day fires to think about a long-term fire protection approach. A vCISO can help you assess and mitigate. Learn more about what services a vCISO can provide in this comprehensive guide.

4. Insure what you can’t mitigate. 

Even the most secure systems are at risk from advanced persistent threats (APTs) and bad actors with significant resources supporting them. But while you can’t guarantee you’re 100% safe—no one can—you can insure against the unknowns once you have done everything you reasonably can to safeguard your business.