Cybersecurity Policies and maintaining Regulatory Requirements have become critical considerations when drafting a Comprehensive Cybersecurity Program.
"Major events like the 2021 Colonial Pipeline Ransomware attack have spurred the need for strategies to prepare for known and unknown risks."
Cybersecurity Incidents and organization breaches are occurring every day, either due to outdated Cybersecurity practices or organizations not keeping up with the necessary Cybersecurity Regulations set by Federal Agencies, NERC CIP, HIPAA, DSS, or PCI. Today Cybersecurity policies are focused on creating a comprehensive Cybersecurity program that will ensure Cybersecurity Incidents and breaches are less frequent and the proper measures are in place to limit the damage. Compliance programs within an organization are becoming more of a C-level initiative instead of just being lumped under all other IT issues.
The magnitude of Cyber Incidents and the rising cost per file compromised has caught C-level executives' attention. Cybersecurity policies are no longer an issue to briefly discuss or assume will be handled by the IT department. Incident response actions and measures need to be upgraded to face the ever-increasing Cybersecurity risks. Compliance rules and regulatory requirements within particular industries are changing faster than in years past. The constant evolution of Cybersecurity attacks is best combated with improvements in critical infrastructure and the adoption of a culture of compliance.
Taking action to protect these technologies and the customers who depend on them is a matter all organizations must prioritize. Organizations need to ensure they are compliant before an incident occurs to avoid the massive cost of non-compliance.
What is Cybersecurity?
“With the growing volume and sophistication of cyberattacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security.”
Cybersecurity focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction.
Governments, military, Financial Institutions, Bank Service Providers, hospitals, and other businesses collect, process, and store a great deal of confidential information.
The computers that hold this information transmit it across networks to other computers. Measures must be in place to protect it.
The growing volume and sophistication of cyberattacks require ongoing attention to protect sensitive business and personal information and safeguard National Security.
An organization can no longer operate, assuming that its organization is too small for a hacker to want to attack.
Constant risk assessments and improvement of Cybersecurity programs are a part of doing business for the foreseeable future.
Layers of Cybersecurity
Preventing and mitigating Cybersecurity Attacks typically involves 6 separate layers:
1. Comprehensive Risk Assessment
Analyzing your Security Vulnerabilities and documenting any required Cybersecurity Regulations you must follow.
2. Implementing Minimum Cybersecurity Practices
Complying with Cybersecurity Regulations.
3. Establishing Cybersecurity Policies
Beyond Regulatory requirements adopting proprietary policies to secure critical Operations and secure access controls for user Identities as well as internal and external network applications
4. Compliance with Cybersecurity Protection Regulations
Annual Certification Of Compliance, or by any imposed deadline for Certification. Verifying Internal Controls.
5. Incident Response
Disclosure of Cybersecurity Attacks, Notice to Consumers. Filing Alerts for Financial and Government entities of any consumer data privacy issues.
6. Building a Culture of Compliance
Educate, and train users and staff on the importance of internal controls, Multi-Factor Authentication, the Existence of cybersecurity vulnerabilities, and maintaining consumer privacy.
What is Compliance?
At one time or another, every organization will fall victim to a breach. It must have the proper safeguards to protect its systems and network and minimize the damage when breached.
"Organizations need to realize that compliance is not a one-time event. They need to make it into a repeatable process."
An initiative to comply typically begins as a project. Organizations will race to meet deadlines to abide by these rules and regulations. These projects will typically consume significant amounts of resources as meeting deadlines become the most crucial objective. Organizations need to realize that compliance is not a one-time event. Compliance should be a repeatable process.
Repeatable steps are required to sustain compliance with the rules and regulations at a lower cost than the original effort. The simplest way to comply is only to follow the rules that have legal consequences for non-compliance and then only meet the minimum requirements to avoid the fines and penalties. However, many firms fave learned the hard way to go beyond this approach to mitigate risk and create a defensible strategy in the event of falling into non-compliance, or worse, suffering a breach.
When organizations are dealing with the regulations set by their industry, a streamlined process of managing compliance with every one of the initiatives is critical. If not managed and monitored, the costs can spiral out of control, and the risk of non-compliance increases.
The compliance process enables organizations to maintain their standing repeatedly. It allows organizations to sustain compliance on an ongoing basis, at a lower cost, and decrease their chances of becoming non-compliant or suffering an attack.
The Evolving World Of Cybersecurity And Compliance
Cybersecurity used to be as simple as setting up a wall on the perimeter of your system, and that would be enough to keep the bad guys out.
“Cybersecurity used to be an IT department issue, today it's a C-level priority.”
Today though, if you just set up a perimeter, you are not even considered to be doing the bare minimum Cybersecurity practices. Today, a proper Cybersecurity program will require you to protect the inside of your network and internal controls from those already on the inside.
Cybersecurity risk has expanded from being only an IT department issue for national banks, Mortgage Brokers, and Insurance companies, to being a necessity for all businesses with any exposure to external and internal networks. This shift results from the exponential increase in organizations of all sizes routinely being breached and the impact businesses face from the negative press, which can often be more costly than the breach itself. The sophistication of the bad guys is outpacing the solutions in place.
This forces organizations to stay nimble and to be able to protect against a far more vast range of challenges. Organizations must continue to review and evaluate what they have in place and decide if they should look for an upgraded solution. Additionally, organizations are utilizing systems in a variety of new places. The need to protect all digital assets and interests on multiple networks and multiple locations is another significant change. In the past, Security was limited to the organization's system and network in one location.
Today computers, tablets, and cell phones not connected to the corporate offices are on the organization's systems and networks. New technology locations and connections are fantastic for business, however, they create new challenges that did not exist years ago.
Culture Of Cybersecurity Compliance
“At one time or another, every organization will fall victim to a breach.”
The explosive pace of industrialization and technological advancements has exposed many systemic weaknesses and the existence of Cybersecurity vulnerabilities that can arise from an increasingly complex global industrial infrastructure. Combining human competencies with other factors such as computer systems, heavy machinery, and chemical or nuclear engineering has demonstrated that unforeseen risks can be a contingency of modern business operations through a series of unfortunate events.
Many of these incidents have led directly to legislation designed to insulate the public, environment, and economy against future disasters. In the aftermath of disastrous events, Federal Regulators have enacted workplace regulations, building codes, privacy laws, environmental safety standards, banking reforms, and financial reporting mandates.
The Cost Of Ignoring Cybersecurity
Today, organizations' most significant security issue is the threat of individuals or groups breaking into their computer systems or network.
Ransomware and data theft are hugely profitable for highly technical organized crime groups and individuals.
This new security concern is growing exponentially and has dwarfed the former priorities primarily focused on on-site theft.
1. Steve Ragan, Nearly a Billion Records Were Compromised in 2014, CSO (Nov. 17, 2014)
2. Internet Security Threat Report 2014 (2013 Trends, Volume 19) Symantec Corporation (2014)
3. Research Report, 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2014).
The growth of data breaches and exposed records is best illustrated by comparing the first and second half of the last ten years. From 2010-2014 just over 3,000 data breaches occurred, exposing over 387 million personal records.
In the most recent five-year period, from 2015-2020, the number of breaches more than doubled to 6,469, with a staggering number of records exposed, totaling just over one billion. (1,026 million).
The number of attacks and compromises continues to grow as thieves and technology get better. The annual cost of the impact of intellectual property theft is estimated somewhere between two hundred and two hundred fifty billion dollars. Additionally, it could cost upwards of two hundred thousand jobs.
The Global Costs
Globally the estimated annual cost of data breaches is upwards of five hundred thirty-eight billion dollars. The price per hour of distributed denial of services attacks is around one hundred thousand dollars. For an organization, the cost of a breach on average in the United States is around five million eight hundred five thousand dollars. In the United States, the average cost per compromised file is around two hundred dollars.
These costs do not factor in the costs associated with organizations' measures to restore identity credibility to those who had their personal data compromised. These costs are realized from credit monitoring services, creating new account information, or even financial compensation due to damages suffered by the victim.
"It is estimated that annually the cost of the impact of theft of intellectual property is somewhere between $200 and 250 billion dollars"
A perfect example of a breach that could have been avoided with essential Cybersecurity updates is the breach with the Office of Personnel Management (OPM) within the US government. In the summer of 2015, it was discovered that the OPM had a data breach. Initial reports were that four million records of current and former civilian agency and military employees were leaked. When the finally settled and the investigation concluded, the four million ballooned to twenty-one and a half million total records that were compromised, with five million six hundred thousand fingerprint records compromised.
The hackers were able to get all those records due to the data stored on the OPM's system not being encrypted. The data was not encrypted because the system was out of date. Once the hacker gained access to the system, their ability to extract records was simple. If the system were up to date, the records would have been encrypted, making it a lot harder to decipher the information extracted. The fallout from this negligence was massive. First, the Director of the OPM, Katherine Archuleta, was forced to resign from her position.
Secondly, the government paid twenty million to a firm that would notify the four million people first reported along with eighteen months of credit monitoring. Then, five months after the breach was publicly disclosed, the government paid an additional one hundred thirty-three million to a firm to notify the remaining victims along with three years of credit monitoring and identity- theft prevention services. In total, the OPM paid over one hundred fifty million dollars, just to help monitor the victim's identity.
The government still needed to address the systems and all the problems that it had. US Chief Information Officer, Tony Scot, called for immediate updates and patches of all systems called the 30-day cybersecurity sprint. What this entailed was:
1. "Immediately" deploying so-called indicators, or tell-tale signs of cyber-crime operations, into agency anti-malware tools. Specifically, the indicators contain "priority threat-actor techniques, tactics and procedures" that should be used to scan systems and check logs.
2. Patching critical-level software holes "without delay." Each week, agencies receive a list of these security vulnerabilities in the form of DHS Vulnerability Scan Reports.
3. Tightening technological controls and policies for "privileged users," or staff with high-level access to systems. Agencies should cut the number of privileged users; limit the types of computer functions they can perform; restrict the duration of each user's online sessions, presumably to prevent the extraction of large amounts of data; "and ensure that privileged user activities are logged and that such logs are reviewed regularly."
4. Dramatically accelerating widespread use of "multi-factor authentication" or two-step ID checks. Passwords alone are insufficient access controls, officials said. Requiring personnel to log in with a smart card or alternative form of ID can significantly reduce the chances of adversaries piercing federal networks, which they added, stopping short of mandating multi-step ID checks.
5. A "Cybersecurity Sprint Team" was created to lead a month-long review of the federal government's security hygiene practices.
The Cost Of Ignoring Compliance
"With some fines and penalties being as much as a million dollars a day, firms cannot afford to be non-compliant."
A highly-skilled, high-quality Cybersecurity Compliance Program is expensive to build. However, it will be one of the best investments for a firm and its senior managers. With some fines and penalties being as much as a million dollars a day, firms cannot afford to be non-compliant. Many firms have employed more compliance staff, but there is a growing need for more genuinely skilled compliance officers.
A consistency of expectation is that the cost of skilled compliance staff will continue to rise, but the growing issue is the availability of high-quality skills and experience. Many firms expect qualified staff to cost more due to the high demand and limited pool of applicants. The primary reason for the expected increase in the cost of senior compliance professionals is the demand for highly skilled and knowledgeable staff. There's no doubt that compliance is a burden and that some of the activities organizations are required to demonstrate to be compliant with the rules and regulations don't always directly contribute to the organization's security.
The reality is the cost of regulatory compliance does not have to be expensive, but it often is. The leading factor in the high cost of regulatory compliance is organizations rushing to put things in place to meet deadlines and please their auditors. Frequently, these organizations are not focusing on being compliant or developing a long-term plan or solution that will benefit their organization.
Why Do Organizations Need To Focus On Cybersecurity And Compliance
"Brand reputation is something that takes many years of great service or products, however, it only takes one bad news story to severely damage the business."
By now, you understand the technical costs of not maintaining your Cybersecurity Regulations or being compliant with all the rules and regulations in your industry. However, there is one factor that is often overlooked by organizations and not accounted for in the previous dollar costs. The way an organization is viewed by the public when there has been a breach can frequently cost more than the breach itself.
Brand reputation takes many years of excellent service and products to build customer trust, but only one bad news story can severely damage years of work. Examples of organizations that had to deal with this kind of negative press are Target, Home Depot, Sony, and the US government, to name a few. These organizations suffered breaches by either not making sure their system or network was as secure as possible or because they neglected rules and regulations that would have met the basic requirements to be compliant.
As a result, they all had to suffer weeks of the press digging into the details of the breach and discovering all the things the organization did wrong or neglected. In addition, during the subsequent investigations of each of these breaches and the organization's response. The investigations uncovered all the vulnerabilities of the systems. This included the lack of the tools and protocols which could have prevented these types of attacks.
The Costs of a breach include updating and patching your organization's Cybersecurity, achieving compliance, lost consumer confidence, and the actual cost associated with repairing these compromised systems. These are all reasons organizations should be proactive regarding their Cybersecurity and compliance.
Every day there seem to be more people looking to cause havoc by gaining access to an organization's system or network to either steal important confidential information or hold the system or network for ransom.
It has never been more critical for an organization to be up to date with its Cybersecurity measures and compliance.
The decisions made about these areas are not just an IT department issue but something that the C-level executives must take action on.
Security measures done in the past are no longer adequate to protect your organization. More efforts must be in place to ensure that both inside and out are secure from any nefarious actors.
Practices and protocols must be in place to minimize the damage when the next breach happens to you or your organization.
It is no longer acceptable to avoid being compliant with the excuse that it does not add value to what your business does.
Being compliant with the rules and regulations set by your industry is the bare minimum cybersecurity practices an organization can complete.
A long-term solution to minimizing the costs associated with making sure your organization is compliant is a practice many organizations are starting to implement.
The best way to avoid a breach is to continually evaluate your organization's Cybersecurity and install patches and upgrades while also streamlining processes to ensure your organization is compliant and always meets compliance requirements.
About Sath Inc.
Sath Inc. is a seasoned Security and Regulatory Compliance office. Established in 2004, we help our customers implement industry-leading technical and business solutions for governing, analyzing, auditing, and operating on everything related to IT Security and compliance.
At Sath, we create meaningful connections with our clients through strategic and sustained engagements, IT security compliance, and governance space innovations. Above all, we believe in attention to detail, interaction, experimentation, and continuous improvement. Our proprietary Identity Management software IDHub delivers intelligent management of all users on your network.
Our 17 years in Cybersecurity allow us to ensure exceptional outcomes for our incredible clients worldwide. If you would like to learn how Sath and IDHub can help your specific organizations with your Cybersecurity and compliance needs, please contact us.