Every month in 2019, a new high-profile data breach made headlines. More than a billion customers of various companies had their private information stolen by hackers or exposed on unsecured servers. This poor management of private data angered many – including lawmakers. New data privacy laws in California and New York take effect this year– and Microsoft and Apple seek national data privacy regulations.
If your organization collects Personally Identifiable Information (PII) – or works with client organizations who do – you face increasing data compliance regulations. That is one result of all these mega-breaches.
Another result is the market now expects you to have your cybersecurity act together. So many breaches result from simple steps not taken – weak passwords, overlooked patches and updates, outdated security. Suffer a breach now, and not only do you face angry clients who may leave and sue you, you also face business losses, regulatory fines, negative publicity and possible bankruptcy.
Even without a breach, your large regulated clients now must put you through a rigorous vetting process. If they find that you’re compliant – but not secure – you risk losing that business.
Some bad actors out there work for enemy nations, and the breaches they cause could leave you with systems damaged beyond recovery. Just last month, IBM published a warning about an Iranian wiper virus called ZeroCleare, which overwrites a crucial element of an operating system, destroying file structure and disk partitions – and permanently erasing data in the process.
Your organization needs to be out ahead of this bad news. Cybersecurity must be a priority if you handle sensitive data. Just because you’re meeting IT compliance requirements does not mean you’ve plugged all your vulnerabilities.
Here’s an example: Your organization meets your regulatory data compliance requirements. You limit who works with it, shield its exposure to the public, and you’ve checked the boxes on dozens of other regulatory requirements because someone at your company wrote policies and plans that met those requirements.
Then one day, an employee thinks they’ve received an email from the boss, asking for payroll data. The email arrives right as project deadlines swamp the employee with work. So they respond to the message and move on. But it wasn’t a legitimate request – and now malware is rapidly exfiltrating your data to overseas servers controlled by criminals.
Compliant Is Not Secure
Our company provides IT compliance and cybersecurity services to clients in regulated industries. The message we try to drive home is: If you focus on increased cybersecurity as your outcome, then it is far easier for you to be compliant. But if you only focus on being compliant, you may miss the opportunity to make your business more secure.
Let’s take our harried employee from above. Let’s say they work at your law firm, which serves clients in healthcare and banking. Your clients are governed by HIPAA and FFIEC rules, which means you are too, because you have their data in your case files. This means your organization is required to hold cybersecurity training annually. But recently you’ve had other priorities to cover, and your budget hasn’t included additional IT funds.
So HR found inexpensive training materials online and forced everyone – including the harried employee – to watch a boring training slideshow. Because it was boring – and because it was low priority – the messages weren’t reinforced with periodic reminders afterwards. Workers forgot about the training and returned to their old habits. A few months later, your employee opened the door to a data breach.
Now, let’s take an example from one of our clients. An employee, working on a company computer at home, got a call purporting to be Apple Care Support. The caller claimed that her Apple ID appeared to be compromised. This employee had been through live security training that also is reinforced periodically. When the caller asked for her password to set things straight, the hair went up on the back of her neck. She terminated the call. Good security training gave her instincts to sense trouble.
The FBI says the most common cause of a data breach is an employee clicking a fraudulent link or opening a fraudulent attachment in an email. You don’t prevent that by meeting regulatory compliance.
To be sure, I am not saying cybersecurity will prevent every employee you have from making a mistake. But it can go a long way toward protecting your assets when that mistake happens.
Compliant – By Being Secure
When we develop cybersecurity plans for our clients, among the issues we focus on include: How can we quickly detect intrusions? How do we stop malware from spreading? Ransomware from encrypting all the backups? And what is needed so this client can recover as fast as possible?
Compliance audits don’t ask those questions. Usually, they ask: Do you have a plan? It’s very easy to say yes, even if your plan’s unworkable in reality.
Here’s another example: A Disaster Recovery Plan. Have you rehearsed yours? You can tell a compliance auditor you have one – stored in a file somewhere. But without testing it, are you sure your plan follows the correct steps?
Our clients also say yes, they have a plan – and are confident in knowing it will work. Because we’ve helped them build and test it, our clients know it’s realistic. They know they can get back in business rapidly whether they’re offline because of malware – or a fire.
Our cybersecurity processes help our clients develop good answers to regulatory questions. They’ve done our Risk Assessments, and discovered oversights they would have missed.
And through our documentation processes, clients have thought through important organizational issues in security and compliance. The end result is they are compliant through the steps they took to be secure.
Cybersecurity and compliance are not synonymous. But if you give cybersecurity the priority our world now requires, compliance will follow – and so will business.