Legal, Compliance, Finance, and Operations can all contribute to a safer and more secure perimeter
Discussions of an organisation’s cybersecurity are usually left to the IT department. If something is broken or looks suspicious, employees simply contact their IT resource.
However, sending an urgent message to IT is most likely not going to resolve an issue, thwart criminal activity, or increase the overall security posture. Long before the arrival of COVID-19, organisations have had to adopt a more DIY approach to cybersecurity, for the following reasons:
- Remote employees are using their home Wi-Fi connections to the public internet to enter the corporate network.
- Employees may be using personal devices in addition to company-owned devices to complete work-related tasks.
- Due to collaboration platforms, the network must accommodate more resource-intensive voice and video traffic than it ever had in the past.
- Organisations are challenged with ‘outsiders’ – contractors, vendors, and even clients – permissioned into one or more of the company’s apps, widening the attack surface.
- IT resources are stretched, as admins must be responsible for managing a growing roster of endpoints, services, and applications. In fact, due to economic challenges, there may be fewer IT resources available overall.
- Cybercriminals have stepped up the scale and sophistication of their attacks to exploit both vulnerable employees and weaknesses in unsecured devices and apps on the network.
Suffice it to say, the DIY approach to cybersecurity will be in place for a while, but how can organisations defend themselves moving forward?
Many organisations simply resort to continuous employee training and automation software in order to defend all endpoints, apps, and the network. However, this is still not enough.
Enter Compliance
Protection against cybercriminals simply using intuition or off-the-shelf software might not go far enough in ensuring a secure perimeter. For those organisations operating in regulated industries, such as finance and healthcare, compliance, legal, and other departments need to step in.
For example, home health aides, who provide care to individuals in their homes, are most likely using tablets or smartphones to record data on their patients. More than a security, issue, there are compliance and operational issues, due to the following:
- The home health aide might be a contract worker using their own device not owned by their employer.
- The device’s security settings might be set by the worker, and perhaps not to the standards of the employer.
- Due to collaboration platforms, the network must accommodate more resource-intensive voice and video traffic than it ever had in the past.
- The license for the software used to capture patient data might be for the contract worker, not for the employer.
- The WiFi settings used to transmit data from the device might not be set the strength level mandated by the employer.
- The home health aide may not have undergone formal Data Protection Act or HIPAA training, or their training has expired.
As such, we can see that cyber security is only part of a larger compliance mandate that organisations, their employees, and contractors must adhere to.
Rather than consider them as separate business processes, the most successful organisations unify their approach. Compliance used to mean performing the bare minimum of legally required measures and activities to satisfy external parties. As shown, compliance needs to be a part of a larger operational approach that involves several teams. The end result is not simply satisfying a government regulator but also ensuring that employees and contractors are performing their jobs and capturing data to the strongest and safest standards possible.
Thinking Ahead
Creating and implementing a cybersecurity strategy based on your organisation’s needs and conducting a gap and risk assessment are key steps for developing not only effective cybersecurity programs but also strong compliance policies. These steps analyse your technology and internal processes to identify the areas of vulnerabilities and the approximate size of the attack surface, in order to improve security posture and meet compliance requirements.
It’s important to note organisations should not view compliance standards and regulations as a guide to create a cyber security program. Instead, it should be the other way around. A cybersecurity program should encompass compliance requirements, while still considering all of the organisation’s assets, including all endpoints, applications, and networks.