With new industry standards and regulatory requirements impacting all industries, cybersecurity compliance becomes a driving force underlying business success.
With new industry standards and regulatory requirements impacting all industries, cybersecurity compliance becomes a driving force underlying business success.
As the number and severity of cyber attacks increases, industry standards organizations and governments seek to enforce cybersecurity by establishing more stringent compliance requirements. However, compliance requirements often lag behind cybersecurity risk. Therefore, to prepare for changing compliance requirements, organizations need to create a security-first approach to cybersecurity so that they can stay ahead of the evolving requirements.
What are the data breach risks?
The 2020 Data Breach Investigation Report noted several trends.
- 28% of data breaches involved small businesses
- 70% of breaches were perpetrated by outsiders
- 45% of breaches featured hacking
- 22% of breaches included social engineering
- 86% of breaches were financially motivated
- More than 25% of breaches still take months or more to discover
The newest statistics indicate that cybercriminals target small businesses to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting weaknesses in systems, networks, software, and people to gain entry.
Many small businesses currently lack the appropriate resources necessary to defend against these attacks, which increases the likelihood that cybercriminals will continue to target them.
What is compliance?
In general, compliance is defined as following rules and meeting requirements. In cybersecurity, compliance means creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information stored, processed, or transferred.
However, cybersecurity compliance is not based in a stand-alone standard or regulation. Depending on the industry, different standards may overlap, which can create confusion and excess work for organizations using a checklist-based approach.
For example, the healthcare industry needs to meet Health Insurance Portability and Accountability Act (HIPAA) compliance requirements, but if a provider also accepts payments through a point-of-service (POS) device, then it also needs to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Companies that serve customers or do business with individuals in the European Union must comply with the EU General Data Protection Regulation (GDPR), and businesses meeting certain criteria that have customers in California must comply with the California Consumer Privacy Act (CCPA).
Moreover, as compliance requirements shift from control-based to risk-based, the landscape of cybersecurity compliance also shifts.
What types of data are subject to cybersecurity compliance?
Cybersecurity and data protection laws and regulations focus on the protection of sensitive data, such as personally identifiable information (PII), protected health information (PHI), and financial information. Personally identifiable information includes any information that uniquely identifies an individual, such as:
- First and last name
- Date of birth
- Social security number
- Address
- Mother’s maiden name
Protected health information includes information that could be used to identify an individual or details regarding their health history or treatments, such as:
- Medical history
- Records of admissions
- Prescription records
- Information about medical appointments
- Insurance records
Financial data includes information about payment methods, credit card numbers, and other details that could be used to steal an individual’s identity or financial resources. Stolen credit card numbers, for instance, can be used to make unauthorized purchases. Sensitive financial data includes:
- Social security numbers
- Credit card numbers
- Bank account numbers
- Debit card pin numbers
- Credit history and credit ratings
Other sensitive data that may be subject to state, regional, or industry regulations includes:
- IP addresses
- Email addresses, usernames, and passwords
- Authenticators, including biometrics such as fingerprints, voice prints, and facial recognition data
- Marital status
- Race
- Religion
Benefits of cybersecurity compliance
Organizations subject to industry or regional cybersecurity regulations are required by law to meet compliance and take the prescribed actions following the discovery of a data breach. Companies found to be non-compliant may face stiff fines and penalties should they suffer a breach. Strict adherence to cybersecurity compliance requirements reduces the risk of a data breach and the associated response and recovery costs, as well as the less-quantifiable costs of a breach such as reputation damage, business interruption, and loss of business.
Having robust cybersecurity compliance measures in place, on the other hand, enables you to protect your company’s reputation, maintain consumer trust, and build customer loyalty by ensuring that your customer’s sensitive information is safe and secure. Plus, with clear and consistent systems for managing, storing, and using sensitive data, your business will benefit from greater operational efficiency.
Meeting regulatory compliance standards and requirements has benefits for organizations beyond protecting sensitive data as required by law. Implementing the appropriate safeguards and security measures to protect sensitive customer and employee information bolsters your company’s security posture, which also helps to protect intellectual property such as trade secrets, software code, product specifications, and other information that gives your company a competitive advantage.
5 Steps to Creating a Cybersecurity Compliance Program
1. Create a Compliance Team
Even in small to mid-sized businesses, a compliance team is necessary. Cybersecurity does not exist in a vacuum. As organizations continue to move their business critical operations to the cloud, they need to create an interdepartmental workflow and communicate across business and IT departments.
2. Establish a Risk Analysis Process
As more standards and regulations focus on taking a risk-based approach to compliance, organizations of all sizes need to engage in the risk analysis process.
IDENTIFY
Identify all information assets and information systems, networks, and data that they access.
ASSESS RISK
Review the risk level of each data type. Determine where high risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.
ANALYZE RISK
After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:
Risk = (Likelihood of Breach x Impact)/Cost
SET RISK TOLERANCE
After analyzing the risk, you need to determine whether to transfer, refuse, accept, or mitigate the risk.
3. Set Controls
Based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:
- Firewalls
- Encryption
- Password policies
- Vendor risk management program
- Employee training
- Insurance
4. Create Policies
Policies document your compliance activities and controls. These policies serve as the foundation for any internal or external audits necessary.
5. Continuously Monitor and Respond
All compliance requirements focus on the way in which threats evolve. Cybercriminals continuously work to find new ways to obtain data. Rather than working to find new vulnerabilities, called Zero Day Attacks, they prefer to rework existing strategies. For example, they may combine two different types of known ransomware programs to create a new one.
Continuous monitoring helps detect new threats. The key to a compliance program is to respond to these threats before they lead to a data breach. Without responding to an identified threat, the monitoring leaves you open to negligence arising from lack of security.
Why you need continuous documentation for continuous assurance
Security is the act of protecting your information. Compliance is the documentation of those actions. While you may be protecting your systems, networks, and software, you cannot prove control effectiveness without documentation.
Documenting your continuous monitoring and response activities provides your internal or external auditors with the information necessary to prove governance. Moreover, the documentation process eases conversations with business leadership and enables the Board of Directors to better review cybersecurity risk. Since compliance requirements focus on Board governance over the cybersecurity program, documenting risk, monitoring, and remediation in an easy-to-digest way enables you to meet these compliance requirements.
Why you need a single-source-of-information
With the number of stakeholders involved in cybersecurity compliance activities, maintaining shared documents leads to a variety of potential compliance risks. Shared documents can be updated without the document owner’s knowledge. People can make copies which leads to multiple versions which leads to lack of visibility.
A single-source-of-information allows all stakeholders to track and review compliance activities while maintaining compliance data integrity.
