Ensuring cybersecurity compliance can be cumbersome (and a pain), but if you don’t do it, it can literally cost you your business.
There are hundreds of controls, and numerous requirements imposed by multiple regulatory bodies and private industry groups.
What’s more, organizations with global operations must face the additional and major challenge of having to adhere to a multitude of both global and local regulations from varying jurisdictions and regulators, across many different geographies.
And the challenge is only going to keep getting bigger as the frequency, volumes, and severity of attacks increase, which will bring standards and government organizations to make compliance requirements even tougher.
Compliance and Risk Mitigation
But, not overcoming the challenge is not something any company can afford. Companies that are found to be non-compliant face stiff fines and penalties, not to mention reputational damage. For example, Uber was hit with a $148 million fine and Equifax paid $575 million for a 2017 breach. As for companies who have EU citizens in their customer base, infringing the General Data Protection Regulation (GDPR) will result in a maximum fine of ~$23 million (€20 million), or 4% of the annual turnover, whichever is higher, with the average fine coming in at $180,000 even for small-to-medium businesses.
The only way to reduce the risk of a breach, the associated costs of response and recovery, the steep fines, and avoid the damage to business continuity and brand equity, is to make sure that protection is robust and that everyone is adhering to cybersecurity compliance requirements.
The 7 Compliance Challenges
If you’re looking to implement high levels of cybersecurity controls and processes that assure compliance with regulations, you will need to overcome seven key challenges.
An ever-changing threat landscape
Cybersecurity threats emerge and change very rapidly, making it very difficult for organizations (and regulators) to keep up. As soon as a new type of threat is observed and new controls are put in place, an even newer threat arises which requires expedited attention and action.
Increasing sophistication and frequency
The technologies and strategies that are used by cybercriminals are becoming more sophisticated all the time. Moreover, the frequency of attack and the extent of its reach is also increasing, bringing greater damage than ever.
Rapid technology evolution
The challenge of keeping up with cybercriminal sophistication is even greater when you need to continually keep up with rapidly evolving technologies.
For example, for companies with Kubernetes environments, new technologies must be deployed to mitigate the risk involved with the platform’s innate vulnerabilities, which result from its packaging together applications functionality, infrastructure definitions, and third-party components.
In addition, with the increase in unauthorized and malicious lateral traffic within the network, many organizations are implementing a zero-trust model that requires a new set of controls and technologies as well.
The skills gap
Assuring compliance requires also means that you need to have a broad and varied skill-set in-house, which includes having in-depth knowledge of multiple regulations, cyber threats, processes, controls, and cybersecurity technologies.
Without such extensive expertise, it is impossible to create an effective and thorough program and to accurately perform the scoping, monitoring, and remediation required for ensuring security and demonstrating compliance.
Growth in endpoints “70% of successful cyber-attacks originate at the endpoint.” (IDC)
The endpoint has become the threat epicenter. Yet, protecting the endpoint has never been more challenging. The pandemic-driven remote work model has resulted in an unprecedented proliferation of devices which has profoundly extended the potential attack surface.
So it’s no surprise that in a study conducted in mid-2020, 39% of security professionals reported that they are not confident in the resilience of their existing endpoint protection solutions.
The perimeterless organization
Today’s workforce is dynamic, roaming, and – as just mentioned – remote. The move to the cloud is continually accelerating, as is the proliferation of IoT-connected devices. What this combination of forces means for cybersecurity is that the days of a well-defined security perimeter are far behind us.
This makes legacy security infrastructures obsolete and lends a new level of complexity to assuring protection and compliance.
Regardless of the industry in which you operate, you will likely need to comply with many different standards. For example, healthcare services organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA). And if these same organizations accept payments through point-of-service (POS) devices, then it must also meet Payment Card Industry Data Security Standard (PCI DSS) requirements.
Furthermore, if the customer base includes EU citizens, then compliance with GDPR is mandatory.
The Light at the End of the Compliance Tunnel
When it comes to the potential complexity and confusion that comes from having to adhere both to multiple regulations as well as to the varying local flavors, the good news is that there are many commonalities that alleviate some of the burden.
Many regulations focus on the same or similar threats and vulnerabilities and, therefore, entail similar mitigation requirements, for example:
· Establishing a governance framework for assuring cybersecurity accountability
· Identifying the systems that require greater security controls
· Monitoring data systems for attempted and successful breaches
· Implementing incident response programs that include notifying regulators and affected parties
· Testing the security program on a regular basis
Many of the newer regulations are driven by existing ones. Moreover, overall, many are also closely aligned and consistent with the existing standards established by organizations such as the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). This is why it is essential and even strategic to assure that solution and service providers who support, implement, and maintain the organization’s cybersecurity programs, controls, and technologies are certified for SOC 2, GDPR, HIPPA, and PCI DSS, to name a few, as well as ISO 22301 and ISO/IEC 27001.
ISO 22301 is important in being applicable to providing cybersecurity solutions for hacking simulations, forensic investigations, cyber intelligence, training, and building and operating security operation centers.
ISO/IEC 27001 is important as it is applicable to the business processes involved with providing the same cybersecurity solutions noted above
Tackling the challenge
When going ahead with establishing a cybersecurity regulatory compliance framework, we recommended that you:
Evaluate all the regulations that are relevant not only for your industry but also for every region and jurisdictions that you operate in.
Identify the commonalities, which should serve as the basic framework, and then you can create local frameworks to address the outstanding jurisdiction-specific requirements.
Go to the standards
Similarly, since many regulations are derived from established standards, these standards can serve as a valuable source of information for identifying the commonalities across various local regulations.
However, it is important to note that protecting the organization against an attack requires going beyond industry compliance standards. It is certainly the foundation. But, the security job doesn’t end there.
Gain access to expertise
“Compliance with cyber integrity regulations requires deep experience in both technology and regulatory compliance.” (Deloitte)
Nothing will serve your efforts better than experience and expertise. If you don’t have these in-house, then a third-party provider of cybersecurity-specific solutions and services, with further domain expertise in cyber compliance (and the right certifications) is the best way to mitigate risk, assure security and compliance, and avoid the damage.