Washington Cybersecurity: Regulations and Guidelines

Cybersecurity has never been more important, especially in Washington State. Washington was listed in the top 10 states by the number of victims to cybercrime in the FBI’s 2019 Internet Crime Report. There were 254.1 victims of data theft per 100,000 in population. To combat cybercriminals, Washington officials have both proposed state privacy legislation and put together security requirements for organizations that receive state funds. 

Whether enforced by law or not, strong security practices are a must for any business looking to succeed and avoid hefty costs (both financially and reputationally). In this blog, we are going to discuss Washington’s cybersecurity requirements and guidelines to help you get your organization on track to protecting valuable data from the wrong hands. 

Why is Cybersecurity Important?

Although many companies are beginning to realize the importance of protecting their data and assets from cybercriminals, many others still don’t believe they are at risk. This is especially true for small business owners who think hackers do not target them due to their size. However, small businesses often take the brunt of cyber attacks, as they don’t have the strong, comprehensive security measures larger organizations have in place, making them an easier mark. 

Cyber Attacks Significantly Impact Businesses

There are many negative consequences of experiencing a cyber attack. Firstly, organizations have to deal with economic costs. Whether it’s the theft of intellectual property and corporate information, or the costs associated with disruptions in operations and repairing systems, damages from cyber crimes can balloon quickly. 

On top of the economic costs, there are reputational costs. After a data breach, a company might lose customer trust. This, along with poor media coverage, can lead to the loss of current and future customers altogether, impacting a business’s revenue stream. 

Finally, there is also the threat of regulatory costs. Governments are beginning to take cybercrime more seriously, passing new privacy laws such as the CCPA. As more states adopt these types of legislation, organizations can suffer from regulatory fines or sanctions as a result of cybercrime. 

Government officials in Washington State are even beginning to discuss a new cybersecurity bill, The Washington Privacy Act. The Washington Privacy Act is comparative to Europe’s GDPR and California’s CCPA. However, the state has not yet passed the proposed law. However, if it passes into law in the future, Washington businesses will have to follow the most strict compliance requirements seen in law so far — complete with hefty fines.

Complying with Washington Cybersecurity Requirements and Guidelines

As potentially costly as a cyber attack can be, know that there are ways to protect your business. With the right mindset and holistic strategy in place, we can start to build the right tools, enact effective policies, and establish the needed collaboration to tackle cybersecurity challenges over the long term. 

To begin securing your organization, it’s important to understand that it’s all about layers. No one solution is going to protect you from everything. It takes multiple methods to create a layered approach. On top of that, the way hackers infiltrate our networks changes all the time. They find new, creative ways to get their hands on our data. So, as criminals adapt, we might have to change the solutions we have in place. 

So, we are going to list out ways that you can begin to layer your approach to cybersecurity. These are guidelines and requirements from WaTech, Washington’s governmental technology services agency. Any organization that receives state funds must follow these practices. However, we encourage every business to begin implementing these as well. Not only will it begin to prepare you for future privacy legislation, but getting your business on track for compliance will also potentially protect you from the many costs associated with cyber attacks. 

1. Understand Data Classification

The first step to protecting your data is to understand how to handle it. But certain types of data need to be treated differently than other types of data. That’s why you need to set up a data classification system. Separating information into different types, such as sensitive, confidential, and special handling, will dictate your approach. If you collect data that falls in different categories, you may need to process each type of data differently. 

2. Create a Hardware/Software Replacement Policy

Many organizations and individuals alike rely on the Internet of Things (IoT). These devices connect to the internet and your network, making them the perfect gateway for hackers to get in if not properly protected. What helps protect these devices is ongoing security updates and patching put out by the manufacturer. However, over time, manufacturers will no longer support old devices or software solutions. 

So, you need to create a hardware and software replacement policy. This policy will dictate when you replace a piece of hardware before it fails or loses support. Standards like ITIL recommends replacing 20% of your hardware and software every five years at a minimum. Using this timeline, you can budget for these changes.

3. Set Up and Configure Your Firewall Appropriately

Next on the list for Washington cybersecurity, is having a network firewall that is licensed and active with the manufacturer. This means it will have security patching and firmware updates. 

Firewalls are an essential layer to your security solution, so it’s important to make sure your firewall offers the most protection. Next-generation firewalls can help with intrusion detection, intrusion prevention, gateway blocking of malware and spyware, and GEO IP blocking technology. 

So, what are a few things you need to ensure are happening on your firewall? Here are a few configurations to put in place:

  • Allow system admin only through secure encrypted protocols
  • Prevent access by unauthorized source IP addresses or subnets
  • Block ingress of internal addresses from an external interface into the DMZ or internal interface
  • Block services, protocols, and ports not specifically allowed
  • Allow only necessary egress communications from the internal network to the DMZ internet and wireless networks
  • Allow only necessary ingress communication from the internal network to the DMZ internet and wireless networks
  • Maintain comprehensive audit trails
  • Fail in a closed state if a failure occurs
  • Operate boundary/perimeter firewalls on a platform specifically dedicated to firewalls

However, when talking about firewalls, remember that a firewall offering a malware or spyware solution does not negate the need for anti-virus, anti-spyware, or anti-malware solutions. 

4. Create a Security Patch Management Policy

The next thing to do for cybersecurity is to have a policy around hardware and software to ensure security patches and updates are actually happening. These updates and patches are securing known vulnerabilities and blocking bad actors from getting into your network. 

To develop and document a policy for IT security patch management, you need to:

  1. Determine who is responsible for this process
  2. Identify authorized software and IS deployment (software inventory)
  3. Create a process to identify and implement patch (update) available for hardware or software packages
  4. Identify a time frame to have these patches deployed using Zero-Day patches
  5. Restrict access from devices that do not conform to patch management (update) policy

With this process in place, you will know how, when, and where devices connected to the internet are being updated.

5. Run System Vulnerability Checks

Another essential element to Washington’s cybersecurity recommendations is to run system vulnerability checks. These scans will help identify any newly discovered security holes in your network. 

So, create a policy for how and when these scans will occur. You can run security vulnerability checks internally or use third-party services (or, ideally, both). WaTech specifically recommends having a third-party vulnerability scan at a minimum of one time per year. The scan will provide details on where your defenses may be weak so you can create a plan of action to mitigate risks.

6. Verify Users and Audit Permissions Regularly: Identity Management

Identity management is significant for any organization because it allows you to verify that users logging into your systems are who they say they are. There are four main categories when it comes to identity management.

1- Unique User ID: a string of characters that identifies a specific user and, in conjunction with a password, passphrase, or other mechanisms, authenticates a user to an information system

2- Two-Factor/Multi-Factor Authentication: controlling access to computers and other IT resources by requiring two or more pieces of evidence that verify the user is who they claim to be. These pieces of evidence consist of something the user knows, such as a password or PIN, something the user has, such as a key card, smart card, or physical token, and something the user is, a biometric identifier such as a fingerprint, facial scan, or retinal scan.

3- Password Policy: a comprehensive, overarching policy for the entire organization. The policy may state that a password needs complexity and rotation every 120 days with no repeating the previous five passwords, needs a minimum of 8 characters, and needs to be significantly different than the previous password.

4- Auto Screen Locking After 10 Minutes

Another element of identity management is regularly auditing and restricting access to those who shouldn’t have it. One example might be a user who was accidentally granted admin rights. Being able to audit and remove these rights is essential. You’ll also want to have a system or tool in place that will report unauthorized or unintentional modifications of data or possible misuse of data. All of these steps will ensure that only authorized users are accessing controlled data.

7. Ensure Data Encryption

Whether or not you are required to comply with Washington cybersecurity regulations, we always recommend you encrypt your data. This pertains to both data in rest and data in motion. By encrypting your data, even if a criminal gets through other layers of protection, they won’t be able to see the information.

When setting up encryption processes, don’t forget about portable media. Devices like thumb drives and hard drives should be encrypted too, and access to these devices should be controlled. You can control access by using a unique user ID and password, or a stronger authentication method such as a physical token or biometrics. 

8. Maintain Email Security

Many, if not all, of us, use email every day. Because we use email to communicate and send files and data frequently, we need to protect it. This includes steps like using an email platform that allows you to encrypt sensitive data. You should also have a spam filter in place to help reduce phishing attempts. Modern AI-based spam filters are extremely beneficial because they can reduce and eliminate risks by looking behind the scenes of an email before delivery to your team. 

9. Protect Wireless Networks

Adding another layer, you’ll want to make sure that you are protecting your wireless networks. Any device that allows wireless access needs to be configured properly — including devices like printers. If a printer allows wireless access and is not configured correctly, hackers can use the printer to break into your network. 

So, you’ll want a minimum of WPA2 or WPA2 Enterprise passphrases on all wireless networks. WaTech also recommends creating three separate wireless networks — one for IT, one for staff, and one for guests. 

10. Have Anti-Virus, Anti-Spyware, and Anti-Ransomware Protection

We need to have the ability to protect against viruses, spyware, and ransomware in our systems. Hence, anti-virus, anti-spyware, and anti-ransomware solutions. These solutions ensure that file networks, email, and web-based traffic are examined for viruses and spyware and can block ransomware. It’s all about detection, prevention, and recovery controls to protect against malicious code.

In Conclusion: Washington Cybersecurity

These are just a few of the security layers the state of Washington recommends. For more information on Washington cybersecurity compliance and recommendations, check out our full webinar. You’ll learn even more ways to protect your business from criminals and keep your data safe. 

Related Insights