If I were a policy maker, I would obligate companies with more than 20 employees to implement a minimum set of Cybersecurity regulations in the sectors listed. For company policy, I would enforce the ruling that all passwords relevant to company accounts/hardware/software be randomly generated and stored in secure places with biometric security, along with putting them on a weekly refresh cycle. Companies would also be required to have a dedicated IT staff to ensure that all systems have strong antivirus measures and that all pertinent software is kept on the most recent version, or at least that which is most secure. Staff would also not be allowed to bring personal electronics into the building, and all company hardware to leave must have biometric security measures or randomly generated passwords. For awareness, training, and education, which I feel would be very interconnected, I would implement rules that require all staff to take rudimentary courses on both computer and cyber security basics so that they understand the risks they could encounter and how to properly deal with them. All employees should also be trained to be more computer literate in general, so that they understand how the devices they’re using actually work internally. In regard to technology, I would implement the aforementioned measures: biometric security and refreshing regenerating passwords in addition to methods like 2-factor authentication and watchdog software that monitors all systems in use by the company and reports irregularities.

I would impose penalties on companies that don’t follow these, as they run the risk of putting their customers’ sensitive data on the line, which could cost the company, the consumers, and our economy a great deal of money.