With the current upheaval, business leaders may lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. That’s a big mistake.
May 21, 2020
It’s clear that COVID-19 is changing the way people interact and work. But after the coronavirus subsides and life begins to return to normal, what will this “normal” look like?
Work as we know it will be changed forever. For example, employees once required to come into the office every day will embrace the convenience and freedom as well as personal time gained from teleworking. Businesses will have to re-examine current working conditions, such as the necessity of daily commutes, cramped cubicles, and rigid office hours, and more.
But cyberthreats will not change — and are likely to increase. Even before the pandemic, security experts estimated that cybercrime could cost the world trillions annually. . Businesses of all sizes are targeted, with three out of five firms reporting an attack in 2019, according to the 2019 Hiscock Cyber Readiness Report. Though large companies are the most likely to be victims of cyberattacks, 47% of small companies reported an incident, and 63% of midsize companies reported attacks, the report found.
US and UK cybersecurity officials warn that state-backed hackers and online criminals are taking advantage of people’s anxiety over COVID-19 to lure them into clicking on links and downloading attachments in phishing emails that contain malware or ransomware. Corporate networks could also be vulnerable to attacks if companies do not invest in providing their employees secure company laptops and set up virtual private networks (VPNs) or zero-trust access solutions.https://81ba06f6f23ea78eac3b3700888ab1ce.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html
With all of this upheaval, business leaders need to keep their guard up. It’s easy to lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. But this would be a big mistake. Regulatory requirements are designed to ensure that organizations establish a solid cybersecurity program — and then monitor and update it on an ongoing basis. It’s critical that organizations continue to stay compliant with applicable security standards and guidelines, especially those concerning policies and procedures, business continuity planning, and remote workers.
Compliance is best when it’s continuously monitored, and it should be part of an overall risk management strategy. Here are common compliance questions I receive from C-suite clients and how I answer them.
1. What does compliance even mean?
Compliance is adhering to established rules and regulations, codes of conduct, laws, or organizational standards of conduct. In the context of cybersecurity, this means following guidelines established to protect the security and privacy of an organization’s information system or enterprise.
2. To which regulations and organizational standards of conduct should I adhere?
Many public, private and nonprofit organizations follow the National Institute of Standards and Technology (NIST) requirements as a solid baseline for privacy and security. These standards emphasize the need to comply with and implement critical security measures, including access, awareness and training, configuration management, security assessment and authorization, contingency planning, incident response, identification and authentication, planning, personnel security, and system and information integrity.
3. How do I know which requirements I should be compliant with?
Understanding that not all risks, missions, organizations, and agencies require the same level of protection, compliance requirements provide room for customization, so agencies and organizations can select the controls most appropriate to meet their goals and/or industry standards.
A risk management framework addresses risk at the organization level, mission/business process level, and information system level. Start with a security categorization process based on determining the potential adverse impact for organizational information systems. The results of your organization’s security categorization can help guide and inform you in selecting the appropriate security frameworks (i.e., safeguards and countermeasures) to adequately protect your information systems.
4. Are there any specific regulations that address remote work?
This March, NIST released a draft revision of NIST 800-124, Rev 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise.
Both these NIST guidelines are mapped to applicable NIST SP 800-53 security controls and Cybersecurity Framework Version 1.1 functions, categories, and subcategories so you can check your compliance with these controls and update them as necessary.
5. What are my risks if I do not remain compliant?
If you allow your organization’s security measures to slip, you can become vulnerable to hackers and bad actors who are experts at finding and exploiting these weaknesses. There’s a saying among cybersecurity experts: Organizations have to be right everytime; hackers only have to be right one time.
6. What other considerations should I factor in when developing an appropriate risk management strategy?
It’s important to consider the appropriate governance, risk, and compliance strategy and tie it to your organization’s desired business outcomes so you can operate without interruption, regardless of the disruption.