Acting FTC Chair Maureen Ohlahausen addressed a meeting of the National Cyber Security Alliance Monday at the NASDAQ in New York City.
Charlie Tupitza asked a question about the importance of public private collaboration especially in how it helps small businesses understand reasonable approaches. She gave a very positive response.
Maureen Ohlhausen echoed the Forums opinion
about the value of helping small businesses. It is critical to consider the needs and abilities of small businesses while we collaborate about a more holistic view of cyber resilience business value. Since small and mid size businesses play such an important role in our supply chain we must do everything we can to help them with reasonable approaches to protect themselves, partners and customers.
Here is her quote from the event.
We see a number of organizations struggling to map to the CSF and deal with reasonableness. We wonder what value you see in public and private collaboration to help determine reasonableness and address the difference between large and small organizations.
I think there can be enormous value to have public and private collaboration and discussion on these issues of the NIST Cyber Security Framework and Reasonableness.
Reasonableness is the FTC’s touchstone and it is based on the size of the organization. We do understand that small organizations don’t have the resources of large organizations, but that doesn’t mean that they can’t take basic steps.
So the kinds of areas we have brought enforcement actions have been areas of don’t have the password be the name of your company. Have a firewall. See what data you have, why and who has access to it. Don’t give access to everybody to the most secure sensitive types of data if they don’t need access. These are some basic low cost steps and I think that business can be very useful as part of the dialog to be a resource to say what is a cost effective step. What is reasonable for a small company to take to secure data to the best of their ability understanding their ability for a small company wouldn’t necessarily be the same as a Fortune 500 company’s ability.