As we continue to see crippling data breaches, new regulations like GDPR and California's Consumer Privacy Act will only become more common. But is maintaining compliance to current regulatory laws enough to protect your business from sophisticated cyber security attacks?
The Importance of Regulatory Compliance
Today, highly regulated industries such as financial services, healthcare, energy, utilities and many others must adhere to strict regulatory standards.
The list of regulatory compliance laws is long, including a soup of acronyms such as HIPAA, PCI DSS, FISMA, FINRA - and those are just the ones that most people have heard of.
And it's not unusual for companies having to comply with multiple regulations at once, making it even more of a struggle to stay compliant.
Of course it's critically important to comply with regulatory requirements.
Businesses need to follow the state, federal, and international laws and regulations that are relevant to their operations.
Failure to comply will open you up to potential lawsuits and financial liability, not to mention broken trust with clients, partners and others.
However, it's expensive, complex and requires the right expertise just to stay on top of existing standards, let alone embrace new ones.
The result is that companies often focus on meeting the minimum requirements instead of implementing proper cybersecurity polices, which in today's environment is not a good thing.
This has been made even more complex by the huge migration to public cloud apps and services, which has only increased during the recent shift to work-from-home.
Maintaining cloud security is an important piece of maintaining regulatory compliance and is often overlooked!
What's The Difference Between Compliance and Security?
Compliance is NOT security!
There are many examples of companies being breached despite maintaining regulatory compliance to the letter of the law.
Even though almost every large financial institution is PCI DSS (Payment Card Industry Data Security Standard) compliant, many have still been breached including the much publicized Equifax hack in 2017.
You can add in Target, Michaels, Neiman-Marcus...the list goes on of organizations that did meet compliance requirements but were still hacked.
This includes hundreds of U.S. utility companies, which spent tons of time and money on meeting compliance requirements yet failed to prevent hackers from accessing their control rooms.
They were penetrated by hackers sending spear-phishing emails and tricking vendors and suppliers into giving up their passwords, which in turn gave them access to valuable information.
The bottom line is: compliance is NOT security.
You need to start thinking of compliance as a snapshot of how your security program meets a specific set of security requirements - and not a strategic plan that will cover all of your security needs.
Is Regulatory Compliance or Cybersecurity More Important?
Both are equally important, and go hand-in-hand.
Although compliance is a critical component of any security program, new vulnerabilities and threats keep emerging which can only be managed through constantly updating your cyber security practices - that may go far beyond what your industry regulations are asking for.
This means, compliant or not, organizations need to take a more holistic look at their information security, and implement the proper security necessary to protect their business.
To truly protect sensitive data, having the proper security program in place AND being compliant are critical.
But cyber security can be a complex beast - many organizations end up outsourcing some or all of their cyber security needs to a Managed Security Service Provider (MSSP) who can provide 24x7 cyber security protection.
To help get you started on your cyber security journey, here are the top six things you should be doing to protect your organization from security attacks.
Security Checklist - Top Six Recommendations
1. Start with the infrastructure core.
Is your infrastructure serving you well, or are you still supporting outdated, potentially insecure systems to avoid disruption and perceived cost.
Those who have been in business a long time tend to have bolted on a range of one-time fixes they found in some compliance software, often carrying an unnecessary burden of IT operating costs needed to maintain outdated systems and old code.
This means you’re missing out on newer and potentially more secure technologies that could cost much less, which are typically cloud-based solutions.
2. Do a cybersecurity audit.
Many organizations have been addressing information security for decades, but recent events show that traditional approaches are no longer good enough. Information security risks have evolved dramatically, and most institutions have not kept pace.
A thorough security audit and separate compliance audit needs to be performed at least once a year.
3. Automate your software updates.
We can't stress enough the importance of keeping your computers and servers up to date with the latest software and patches.
Don't leave this to a human being with a spreadsheet and a manual process - it needs to be automated, along with your network monitoring.
The risks of outdated software are huge (just ask the IRS.)
4. Encrypt sensitive data.
Whether accidental or malicious, exposure of sensitive data is an organization's worst nightmare.
While network perimeter maintenance can protect against many threats, it can't protect against them all.
To be truly safe, you should encrypt the data itself, both “in motion” (think email, downloading documents, etc.) and “at rest” (think file servers, endpoint devices and even the cloud.)
There are many data encryption solutions on the market today, and a qualified IT consulting service should be able to help you sort through the options.
Don't risk your clients' personal information!
5. Educate your employees with phishing training.
The biggest cybersecurity threats are actually right inside your organization. It's estimated that more than 60% of breaches are caused by employees, typically from phishing attacks.
Providing ongoing phishing prevention training to employees can help reduce this statistic dramatically.
6. Don't forget Backup and Data Recovery.
Successful backup and data recovery (BDR) is now a must for every single business, large or small.
It starts with documenting a data retention policy, which records your established protocol for retaining information. This includes how to organize information so it can be searched and accessed at a later date, and how (and when) to dispose of information that is no longer needed.
Older technologies are no longer enough – do you know the difference between file-based backup and image-based backup?
Are you aware of how often your current BDR solution is being tested? This is one area of risk management you can’t afford to ignore!
There are many steps you need to put in place to be truly secure, beyond just meeting what you need to do to maintain industry compliance. Reach out to us for more information, and take a look at our "Essential Cyber Security Toolkit" if you're looking for additional tips and tricks!