Cybersecurity Compliance 101

Cyber Security

/

May 22, 2019

Karen Walsh

As the number and severity of cyberattacks increases, industry standards organizations and governments seek to enforce cybersecurity by establishing more stringent compliance requirements. However, compliance requirements often lag behind cybersecurity risk. Therefore, to prepare for changing compliance requirements, organizations need to create a security-first approach to cybersecurity so that they can stay ahead of the evolving requirements.

What are the data breach risks?

The 2019 Data Breach Investigation Report noted several trends.

  • 43% of data breaches involved small businesses
  • 69% of breaches were perpetrated by outsiders
  • 53% of breaches featured hacking
  • 33% of breaches included social engineering
  • 71% of breaches were financially motivated
  • 56% of breaches took months or more to discover

The newest statistics indicate that cybercriminals target small businesses to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting weaknesses in systems, networks, software, and people to gain entry.

Many small businesses currently lack the appropriate resources necessary to defend against these attacks, which increases the likelihood that cybercriminals will continue to target them.

What is compliance?

In general, compliance is defined as following rules and meeting requirements. In cybersecurity, compliance means creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information stored, processed, or transferred.

However, cybersecurity compliance is not based in a stand-alone standard or regulation. Depending on the industry, different standards may overlap, which can create confusion and excess work for organizations using a checklist-based approach.

For example, the healthcare industry needs to meet Health Insurance Portability and Accountability Act (HIPAA) compliance requirements, but if a provider also accepts payments through a point-of-service (POS) device, then it also needs to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.

Moreover, as compliance requirements shift from control-based to risk-based, the landscape of cybersecurity compliance also shifts.

5 Steps to Creating a Cybersecurity Compliance Program

1. Create a Compliance Team

Even in small to mid-sized businesses, a compliance team is necessary. Cybersecurity does not exist in a vacuum. As organizations continue to move their business critical operations to the cloud, they need to create an interdepartmental workflow and communicate across business and IT departments.

2. Establish a Risk Analysis

As more standards and regulations focus on taking a risk-based approach to compliance, organizations of all sizes need to engage in the risk analysis process.

Identify

Identify all information assets and information systems, networks, and data that they access.

Assess Risk

Review the risk level of each data type. Determine where high risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.

Analyze Risk

After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:

Risk = (Liklihood of Breach x Impact)/Cost

Set Risk Tolerance

After analyzing the risk, you need to determine whether to transfer, refuse, accept, or mitigate the risk.

3. Set Controls

Based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:

4. Create Policies

Policies document your compliance activities and controls. These policies serve as the foundation for any internal or external audits necessary.

5. Continuously Monitor and Respond

All compliance requirement focus on the way in which threats evolve. Cybercriminals continuously work to find new ways to obtain data. Rather than working to find new vulnerabilities, called Zero Day Attacks, they prefer to rework existing strategies. For example, they may combine two different types of known ransomware programs to create a new one.

Continuous monitoring only detects new threats. The key to a compliance program is to respond to these threats before they lead to a data breach. Without responding to an identified threat, the monitoring leaves you open to negligence arising from lack of security.

Why you need continuous documentation for continuous assurance

Security is the act of protecting your information. Compliance is the documentation of those actions. While you may be protecting your systems, networks, and software, you cannot prove control effectiveness without documentation.

Documenting your continuous monitoring and response activities provides your internal or external auditors with the information necessary to prove governance. Moreover, the documentation process eases conversations with business leadership and enables the Board of Directors to better review cybersecurity risk.  Since compliance requirements focus on Board governance over the cybersecurity program, documenting risk, monitoring, and remediation in an easy-to-digest way enables you to meet these compliance requirements.

Why you need a single-source-of-information

With the number of stakeholders involved in cybersecurity compliance activities, maintaining shared documents leads to a variety of potential compliance risks. Shared documents can be updated without the document owner’s knowledge. People can make copies which leads to multiple versions which leads to lack of visibility.

A single-source-of-information allows all stakeholders to track and review compliance activities while maintaining compliance data integrity.

Zeguro Cybersecurity-as-a-Service for compliance

At Zeguro, we understand more than just cybersecurity. We understand risk. Starting with a security-first approach to cybersecurity, we help you identify risks, create policies, and monitor control effectiveness. However, we go further than other Cybersecurity-as-a-Service (CSaaS) companies because we also direct you towards an end-to-end cyber insurance policy that fits your needs. To get early access to our end-to-end cyber safety platform and find out first-hand what CSaaS is all about, sign up for Beta access here.