Get ready, this episode is all about compliance. Security compliance to boot. It’s not the most exciting topic, I’ll admit, but it is a necessary one and your business may have to comply. We are going to do an introductory overview of IT and security compliance requirements and some of the things to look out for. Whether your industry requires it or if you have insurance requirements for cyber policies, we are going to go over what you need to know.
My name is John Virgolino and I’m your host; this is ConsulPod. Let’s get started.
Compliance is all about following rules set by a body that levies some kind of power over your business’s ability to function within an industry or geographical area. Historically, compliance is about meeting the requirements set in some kind of regulation. More often, compliance is required because it is imposed and you really don’t have much of a choice. So, how does IT fit into this?
Recently, and I mean in the last 5-10 years, there has been a spike in cyberattacks, data breaches, and as early as a few months ago, there was actually a death attributed to a cyberattack. These kinds of aggressive tactics from the bad guys have become so prominent that the methods for protecting ourselves, our businesses, and our data need to be spelled out and enforced. Businesses simply aren’t doing what is necessary to protect their systems. Especially smaller businesses who don’t think they are the targets and therefore invest the least in protections and end up with their guard down and that is exactly why the bad guys go for them first because they are the weakest link. Bad actors don’t care about notoriety, they care about cashing in on your misfortune and your lack of protections. Not only are small businesses the target, but contrary to popular bellief they are also the prime target.
How does IT play a role in all of this? Compliance requires implementing cybersecurity mitigations, solutions to security problems. The idea being, plug the vulnerabilities we can control. Further, put mechanisms in place to avoid vulnerabilities we can’t control. In most cases, it will be very difficult to meet cybersecurity compliance requirements without IT.
What are some of the cybersecurity compliance requirements out there you ask? Do they apply to your business? One of the big ones is probably GDPR, which the EU imposed on, well, everyone in some way. They mandated that if you have data pertaining to an EU citizen, you have to follow their rules or be heavily fined. If you ever wondered why you have to constantly accept cookies on websites, that’s because of GDPR, it’s one of their requirements, even for websites outside of the EU. Another well-known is PCI compliance. They have been around for a while and implement protections for credit card information on consumers. If you handle any credit card information as part of your business, you will need some level of PCI compliance.
HIPPA compliance also comes to mind. It also has been around for a while and regulates how our data as a patient is protected, transmitted, and stored. Anyone in the medical services field must be aware of and comply with HIPPA requirements.
If you are a military contractor anywhere in the supply chain, you are now going to have to obtain CMMC, or Cybersecurity Maturity Model Certification through the DoD. CMMC is pretty extensive, for example, a level 3 of out 5 certification, you will need to comply with over 144 different rules.
If you export product or electronic data outside the US, you need to follow strict federal regulations on export controls. If you are in finance you may have to show the SEC or NFA that you are compliant with basic cyber hygiene.
More and more state governments are getting into the compliance business. After GDPR, the US federal government didn’t do anything comperable, so states did, with CCPA in California and the SHIELD law in NY and many more up for consideration in many statehouses throughout the US. Depending on your business and where you are located and what you do, you may need to be compliant with many or all different state regulations.
Should you self-impose compliance? I think that having solid security practices in your business makes sense. Many of the regulations out there today all follow the same guidelines of security, so complying with one often covers many aspects of others. You should be implementing good security practices into your culture as soon as humanly possible. It could be the difference between not getting hit with ransomware or something similar.
If you need guidelines to follow, there may be some industry groups in your field that offer advice specific to your business, or you can also look at NIST standards. The National Institute of Standards and Technology sets standards for all sorts of things, but one of them is the NIST Cybersecurity Framework which is a good starting point if you don’t have anything else to work with. The NIST 800-171 guidelines are the cornerstone of CMMC compliance and include an impressive 144 guidelines.
Can you comply all by yourself? It completely depends on the scope of your compliance requirements. If you are going to be audited, especially on-site, you are probably going to need to hire a consultant to advise throughout the process. They can help you prepare and bring in the right people. Just be careful to vet anyone who is joining the compliance team, don’t take for granted they know what they are doing.
Meeting regulations is one thing, but you also have to keep up after achieving your certification. More often than not, you have to renew your certification on a regular basis. Possibly annually or every few years. This means not letting your guard down and staying on top of changing regulations and new security protections that are being adopted. For instance, with the pandemic, many companies instituted work from home policies. Compliance requirements for remote work would need to be followed and many companies likely did a quick and dirty with implementation because of COVID, thus creating a security opening with remote workers. If your compliance requirement doesn’t cover remote work or you planned on fixing it later, this creates a vulnerability to your network and data. This is one example of how you need to stay on top of compliance and security guidelines and not waver.
You will also want to keep your staff trained up and tested, there are really good and affordable services to help with that and are 100% online. We will dedicate a future episode just to that topic, it is seriously one of the most important things you can do to protect your business. The humans who work for us are the most vulnerable points of entry into your systems, we need them to be in the know.
One last thing I want to cover is cybersecurity insurance. Many businesses look to get financial coverage in the event they get hacked, breached, or otherwise cyberattacked. Insurance coverage would give you financial coverage when you would otherwise be down completely or hurt badly enough that you cannot function. This is likely a wise purchase these days. You should know that premiums are partially tied to how secure your business is. If you have no protections in place, you are likely to pay higher premiums than if you had a comprehensive security plan in place. The insurance companies determine your level of risk by having you answer a long list of questions about your security and network policies. You should consider those questions as the equivalent of a compliance requirement. You might want to ask what guidelines you should follow in advance. Either way, it’s another compliance measure you may have to keep track of.
I cannot understate how important a good security posture is when it comes to your IT policies. If you have industry or state compliance requirements, don’t ignore them, they are actually in place to protect you and your customer’s data. Give them the attention they require and take advantage of the security practices they look to impose, it will help your business be more secure and in today’s climate of constant cybersecurity attacks, absolutely no one is immune, especially small businesses, there is no avoiding it, so embrace it and secure your future business.
If you like this podcast, please let your colleagues and team know about it, and please subscribe so you get our next episode automatically. Thank you for listening, I’m John Virgolino, we’ll see you next time.
Links of interest from this episode: