Cybersecurity and The Endless List of Compliance
I recently wrote about insurance companies raising the bar on business to protect their valuable data to acquire cyber liability insurance. But, it's not just insurance companies that are raising the bar. Governments around the globe are now requiring all types of companies to be compliant with some type of standard to better protect the data they possess. What many people don't realize is these standards are all based on the protection of personal/private/confidential/sensitive/valuable information or data. Whether it's HIPAA, NIST 171, GDPR, FISMA, ISO-27001 or another cyber security standard, the goal is to protect the customer or client's data as a requirement of doing business. The governments want businesses to make it more difficult for cyber criminals to steal valuable data. If you look at the core of these various compliance standards you'll find they all begin by requiring a risk assessment and then move towards a more holistic approach to cyber risk management.
What does holistic approach mean?
When you talk about cybersecurity most people think of software or hardware solutions to protect the systems or data by preventing bad actors from damaging or accessing data. For example, everyone needs to be running the latest anti-virus with automatic updates turned on. But the truth is, human error is the cause of over 65% of breaches. Which means we need to include cybersecurity training as part of our solution. Since all employees are not the CIO's responsibility, we now have all department heads involved. Therefore, we need to start with leadership. The company leadership needs to make cybersecurity a priority.
What's the value of your data?
One of the first steps in a cybersecurity program or plan is to identify all valuable data and where it is stored and transmitted. Many overlook the first part of this, identifying the valuable data. For example, if you ask most healthcare providers "Which is more valuable on the darkweb, a credit card or a patient record?", they will respond that the credit card is more valuable. The fact is the patient record (PHI) is worth 50 times the credit card. This means healthcare providers with PHI are 50 times more valuable to cyber criminals. The next part of this is to identify where the PHI resides. Again, many healthcare providers think that because they use a HIPAA approved EMR (patient management system) they are protected. But, most have billing personnel that export 100% of the data to a local workstation, then save it in the download folder on the desktop, or on a shared network drive unencrypted. The PHI is usually saved unencrypted in the browser cache too. It's just waiting to be stolen or locked by the criminals.
Why start with an assessment?
Most business owners or managers of smaller companies don't understand the value of a full Security Risk Analysis or Risk Assessment which is required by most of these compliance standards. A risk assessment provides you with a list of issues that need to be addressed. By prioritizing this list you create a risk management plan to address the issues and improve the protection of your valuable data. As you work through and correct issues you change the culture of your work environment to be more aware of protecting the data and creating a culture of resilience. Over time the policies and procedures become Standard Operating Procedures for your business. You simply operate more securely, greatly reducing your likelihood of a breach.
What's the goal?
So, what's the goal of all these different compliance standards? Why does the government care? Why are the governments sticking their noses in company business? It's actually to protect the business! Protecting the individual's personal information helps to protect a company's reputation and maintain the trust of its customers, ultimately keeping the company in business and profitable.
Are you ready to begin protecting your valuable data and creating your own culture of resilience?
Contact us for a third-party Security Risk Assessment: 512.310.0020 or firstname.lastname@example.org.