As the nature of compliance grows increasingly complex, it becomes more difficult for companies to understand what applies to their business and how to build and implement protocols. Furthermore, as cyber threats grow exponentially, companies are facing problems like potential governmental fines and financial theft, breach of sensitive data and loss of clientele. Author of the bestseller “Security Risk Assessment Handbook” and cybersecurity expert, Douglas Landoll, recently stated that, “Non-compliance with information security regulations remains one of the top mistakes made by companies in their current data security approach.” Don’t say we didn’t warn you.
We have mapped out the four steps that you should follow for your business to become compliant and ready to counter growing cyber instability.
Step 1 – The tight relationship between compliance and cyber security
Once upon a time, organizing cyber defense fell under the domain of the IT guys, but over time, the cybersecurity tent has broadened to encompass CCOs and CISOs. According to a recent survey conducted by BAE Systems, the majority of IT staff want C-Suites at the front and center of cybersecurity decision making. One can have the best technology on the market, but without a clear process and defined roles, it will be exceedingly difficult to prevent attacks.
The New England Chief Audit Executives group conducted a roundtable discussion, which concluded that without a comprehensive strategy of processes in place, your tools are more or less useless. Simply put, having great technology without a compliance program will likely result in failure. We saw this very clearly in the Yahoo hacks between 2013-2015, which compromised one billion accounts and caused the company tremendous damage both financially and to its reputation.
The creation of an efficient cybersecurity compliance program involves many factors like auditing, understanding all relevant stakeholders, understanding country specific regulatory laws and the adoption of the right security technology to meet these needs.
Step 2 – Know your country
Cybersecurity regulations can vary from country to country or region to region. For instance, the EU is 12 months away from implementing its General Data Protection Regulation (GDPR), which covers a wide range of security issues like data security, management, and transparency. It is worth noting that fines can reach up to 20 million euros. This past October at the UK CISO Summit, participants discussed the implications of the new regulations, in that companies will be forced to devise new approaches to storing, protecting, monitoring data, and staff and resources involved in order to be in compliance with GDPR.
In fact, in March, Democrats in the United States Congress began demanding that the Federal Communications Commission (FCC) create new regulations for cybersecurity for cellular networks. However, the FCC claims that cybersecurity is not under its purview and thus they will not act on the issue. This comes on the heels of an executive order by President Trump calling for an extensive review of US cyber vulnerabilities and capabilities. Considering that the United States is a gigantic bureaucratic web, and executive orders are usually short lived, it will take time for the US to get its act together. Other countries like Japan and Brazil are also in the process of developing their own regulations for transparency, consistent access and authentication for various types of data. Countries around the world are recognizing the importance of digital compliance and standards and are making steps toward ensuring the safety of their citizens’ and businesses’ data.
Step 3 – Timelines and shareholders
When first building your compliance structure, start with timelines. Governmental agencies often put time constraints on companies to come into compliance. For example, the new standards for the NY State Department of Financial Services. The agency is giving companies until March 1, 2018 to provide a risk assessment report, but an additional six months to implement the programs that result from the report’s findings. Business and organizations should push lawmakers to prevent a situation where the global marketplace becomes fragmented by regulations, due to rapidly changing technologies and threats. This would lead to the crippling of competition and innovation and subsequent the strengthening of cybercrime.
It is furthermore important that all stakeholders, including directors, management, security staff, and vendor partners be connected via a shared platform. This will allow them to collaborate within a defined framework. The platform should incorporate governmental regulations like FINRA, HIPAA, FERPA to better connect directors with technological experts, track progress or changes, and allow for effective oversight. However, it is becoming increasingly clear that the bulk of the responsibility for heavy decision making is shifting from IT personnel to the board of directors. This is a natural response to increased demands from organizations like the SEC and FTC. However, it is imperative for communication between the board and all stakeholders to remain strong. It should be noted that compliance is critical in order to prevent theft and mishaps similar to what happened at Bangladesh Central Bank.
Step 4 – Compliance starts at the CORE
Once your organization fully understands the regulatory policies it is subject to, it must then learn how to see and profile all network devices, remediate any security issues and automate actions that have traditionally been conducted manually.
There are four segments to this process:
- Understanding how mobile, BYOD and IoT devices will affect and transform not only the organization, but the industry and implementing the right processes and tools control them.
- Tracking any network related device or program in real time via a centrally secured platform providing full and actionable visibility.
- Addressing cloud security is paramount, because everything today is going through the cloud. It is important to strictly control access to the network and to cloud applications, even based on the geographical locations of users.
- Ensure that your business is in compliance with governmental regulations like SOX, PCI DSS, HIPPA, FINRA, FISMA, GLBA among others. Strict compliance will provide legitimacy with clients and partners.
Once your organization understands that without full and actionable visibility on the network it will be impossible to control devices or maintain compliance standards, the next step is finding the right tools. Portnox’s advanced system allows network operators to see and control any device, at any time, and from anywhere, making compliance a more straightforward and smooth process. Portnox continues to lead the way with its innovative technology that will allow you to tackle risk challenges in a simple and straightforward manner.
Check out our “Compliance as a Strategy for Business Success eBook” to learn more on how to become complaint with security regulations and grow a successful business.