As we continue to see crippling data breaches, new regulations like GDPR and California's Consumer Privacy Act will only become more common. But is maintaining compliance to current regulatory laws enough to protect your business?
The Regulatory Compliance Conundrum
Today, highly regulated industries such as financial services, healthcare, energy, utilities and many others must adhere to strict regulatory standards.
The list of regulatory compliance laws is long, including a soup of acronyms such as HIPAA, PCI DSS, FISMA, SOX - and those are just the ones that most people have heard of.
And it's not unusual for companies to have to comply to multiple regulations at once, making it even more of a struggle to stay compliant. It's expensive, complex and requires the right expertise just to stay on top of existing standards, let alone embrace new ones.
The result is that companies often focus on meeting the minimum requirements instead of implementing proper security polices, which in today's environment where our attackers are always one step ahead of our defenses, is not a good thing.
And it doesn't help that the regulation outlines are publicly available, often providing hackers with a good deal of the information they need to figure out how to break through!
Being Compliant But Not Secure
There are many examples of companies being breached despite regulatory compliance.
Even though almost every large financial institution is PCI DSS (Payment Card Industry Data Security Standard) compliant, many have still been breached, including the much publicized Equifax hack in 2017.
You can add in Target, Michaels, Neiman-Marcus...the list goes on.
Hundreds of U.S. utility companies, who spent tons of time and money on meeting compliance requirements, failed to prevent hackers from accessing their control rooms. They were penetrated by hackers sending spear-phishing emails and tricking vendors and suppliers into giving up their passwords., which in turn gave them access to valuable information.
Bottom line? You need to start thinking of compliance as a snapshot of how your security program meets a specific set of security requirements - and not a strategic plan that will cover all of your security needs.
Cyber Security Beyond Compliance
Although compliance is still a critical component of any security program, new vulnerabilities and threats keep emerging. This means that compliant or not, organizations need to take a more holistic look at their information security, and implement the proper security necessary to protect their business.
To truly protect sensitive data, having the proper security program in place AND being compliant are critical. But security can be a complex beast - many organizations end up outsourcing some or all of their cyber security needs to a Managed Security Service Provider (MSSP.)
To get you started here's our short list of security tips and tricks - but be sure to reach out for additional assistance!
Our 6 Best Security Tips and Tricks
- Start with the core. Is your infrastructure serving you well, or are you still supporting outdated, potentially insecure systems to avoid disruption and perceived cost. Those who have been in business a long time tend to have bolted on a range of one-time fixes, often carrying an unnecessary burden of IT operating costs needed to maintain outdated systems and old code. This means you’re missing out on newer and potentially more secure technologies that could cost much less, which are typically cloud-based solutions.
- Consider a security audit. Many organizations, especially in the financial services industry, have been addressing information security for decades, but recent events show that traditional approaches are no longer good enough. Information security risks have evolved dramatically, and most institutions have not kept pace. A thorough security audit needs to be performed at least once a year.
- Automate your updates. We can't stress enough the importance of keeping your computers and servers up to date with the latest software and patches. Don't leave this to a human being with a spreadsheet and a manual process - it needs to be automated, along with your network monitoring. The risks of outdated software is huge (just ask the IRS.)
- Encrypt sensitive data. Whether accidental or malicious, exposure of sensitive data is an organization's worst nightmare. While perimeter maintenance can protect against many threats, it can't prevent against all. To be truly safe, you should encrypt the data itself, both “in motion” (think email, downloading documents, etc.) and “at rest” (think file servers, endpoint devices and even the cloud.) There are many data encryption solutions on the market today, and a qualified IT consulting service should be able to help you sort through the options.
- Educate your employees. The biggest cyber security threats are actually right inside your organization. It's estimated that more than 60% of breaches are caused by insiders, typically from phishing attacks. You can do this by using free tools such as Duo (MFA and 2FA) or Cofense, or arrange for on-site cyber security awareness training from your managed IT service provider.
- Last but not least - BDR. Successful backup and data recovery (BDR) is now a must for every single business, large or small. It starts with documenting a data retention policy, which records your established protocol for retaining information. This includes how to organize information so it can be searched and accessed at a later date, and how (and when) to dispose of information that is no longer needed. Older technologies are no longer enough – do you know the difference between file-based backup and image-based backup? Are you aware of how often your current BDR solution is being tested? This is one area you can’t afford to ignore!
As a next step, we encourage you to take a read of our "Essential Cyber Security Toolkit" which will provide additional information, and of course reach out to us if you have any questions!