Getting Ahead of Cybersecurity Regulation Offers a Competitive Advantage
As cybercrime continues to skyrocket (security incidents 124% year over year) and headlines are still dominated by high-profile cybersecurity issues ( SolarWinds, Colonial Pipeline, Log4j) the government has become keenly interested in regulating how businesses protect their data and assets. This desire to regulate applies not only to those engaging in business with the federal government but to nearly all businesses. Potential legislation aims to improve security for everyone, but will also force changes to how business is done and what constitutes reasonable cybersecurity regulations.
This article is part of a series expanding on 2022 predictions discussed in this webinar. We are digging into the business impact of regulatory challenges and why your business should get ahead of these legislative changes.
More Cybersecurity Regulations on the Horizon
Globally, there is a rising public sentiment that governments need to “force” businesses to take control of their security and track incidents. Past security legislation required companies to scale-up processes and controls to meet the requirements rapidly. As new legislation is enacted to address the evolving threat landscape, organizations will be once more faced with similar time-bound demands.
The U.S. government has already gotten started on security mandates with President Biden’s Executive Order in 2020. The order expanded the security requirements for organizations doing business with federal agencies. To better protect systems and data, it included controls against supply chain attacks in software development.
Other federal US cybersecurity regulations include the Health Insurance Portability and Accountability Act (HIPAA) and Federal Information Security Modernization Act (FISMA). Outside of the US, governments have also taken an interest in protecting data and the privacy of their citizens. General Data Protection Regulation (GDPR) is a regulation by the EU that specifically targets how data is collected, used, and shared by organizations. Even though it is EU-specific legislation, it applies to all businesses with European customers and empowers them to control how their data is collected and handled. Companies that failed to comply could be penalized with steep fines, especially if the non-compliance is willful.
GDPR is one of many security and privacy legislations worldwide that have already taken effect. This sets substantial precedence for the US federal government to enact one of its own rather than entirely leaving it to the states (eg. California Consumer Protection Act (CCPA) or the NY Shield Act).
New mandates rarely come with flexible deadlines.
Government regulatory bodies aren’t the only groups providing standards, recommendations, and compliance requirements. The Payment Card Industry Data Security Standards (PCI DSS) that affect any organization that handles credit cards, are administered by the Payment Card Industry Security Standards Council. The International Organization (ISO) for Standardization, headquartered in Switzerland, is an international body that affects standards for a variety of industries including automotive. Additionally the National Institute for Standards in Technology (NIST) is a non-regulatory branch of the US government that produces technology standards, including those for cybersecurity.
Upping Executive Accountability
Part of what drives cybersecurity legislation is the historic lack of accountability and blame-shifting that has notoriously followed the discovery of security incidents. Security teams blame management for not providing the budget, and management blames other initiatives taking priority. When in reality, the blame is often shared among many parties.
A similar situation occurred, leading to the financial crisis in 2008. Banks and investment companies as a whole had been not following best practices for governance and operations. Failing to do this created a perfect storm of bad investments and the need for government bailouts to keep these businesses afloat. All of this resulted in making the Sarbanes-Oxley Act (SOX).
SOX was unlike many previous regulations as it forced businesses to comply in ways other than just fines. Executives were directly confronted with personal consequences, including fines and jail time for failing to adhere to SOX directives. This personal accountability forced leadership to push for SOX compliance to happen rather than giving it lip service. Future security legislation may take a similar approach to SOX and create compliance penalties for executive leadership.
Forced Breach Transparency
Regulations often mean forced implementation of new security initiatives. However, that is not the only way cybersecurity regulation could affect your business. Currently, companies don’t always have to report incidents. In cases where no regulated data is involved, they often can handle the incident internally without anyone outside knowing. New cybersecurity regulations could change all this and force reporting of all incidents to a centralized agency with potential visibility to the public.
The SEC could track incidents and report them in a way that is directly visible to the public. This increased visibility could expose which businesses don’t handle security well. The ramifications of this could be very damaging to the business’ reputation. When choosing new product and service solutions, knowing if the candidate company has a history of security missteps can differentiate between a sale and a pass. Not only will your business need to be secure, but you will need to be able to demonstrate the strength of your security posture as well through reporting and certifications.
The Downside of Generalities
Many regulations must work with a broad brush for defining what is required. Often requirements are likely to be general in nature and cover well-known and established best practices. Unfortunately, sometimes that means not every specific use cases of your business will be addressed. In these cases, compliance may not seem like a worthwhile endeavor. Businesses may not think advanced preparation is beneficial, when in fact it can actually save them money in the long run.
Security Prior to Mandates
Many businesses will wait for security measures to be mandatory before taking action because of the fear they will get left holding the bag on pointless expenditures. However, its is more likely that making targeted security changes that are tailored to your business will improve your overall security posture and avoid costly, damaging breaches. Additionally, those who prepare in advance have other advantages that the laggards will not. If you beat the crowd to these required security measures, you can avoid paying a premium for security tools when a regulation is nigh. You can also take the time to find vendors that are the right fit and implement them in a controlled manner instead of forcing faster implementation schedules.
Establish a Strong Cybersecurity Foundation
Rather than finding a solution that just “checks a box” to meet the mandated requirements, it’s important to identify vendors that deliver solutions for your business’ unique needs. It is wise to do a needs assessment before signing a vendor, to avoid purchasing functionality that the organization may never need.
The goal is to invest in a robust security foundation, not just meet a compliance mandate. Security teams need to make it challenging for attackers to infiltrate and therefore reduce potential for a breach. With the cost of a breach averaging $4.24 million, there is a strong financial incentive to be secure.
All security solutions require time and effort to implement but doing it in a rush can lead to increased costs, time investment, and potential misconfigurations. A strategic approach to your security solutions rollout will save time and money.
Many vendors would happily charge extra to expedite a rollout if they could, but this is not always possible. With the current shortages of skilled security personnel, there is no guarantee that they can scale to accommodate all requests. If new regulatory mandates are issued, this will only increase the demand for expedited implementation. New Mandates rarely come with flexible deadlines.
Finding a solution that not only meets your needs but can be deployed quickly may force out lower-priced or preferred vendors that are a better fit in exchange for anyone that can deliver on time.
Now is the best time for businesses to get ahead of future cybersecurity regulations. Taking the time to plan out future needs for your organization rather than waiting on mandates that may come will help deliver the best solutions with the least disruption to your organization.
Fortra is a trusted leader in cybersecurity, offering several well-known solutions and brands including Digital Defense. Listen to our latest webinar to learn more about the security changes on the horizon and what steps you can take to protect your organization better.