Compliance and Cybersecurity: What to Know

The average cost of a data breach is more than four million dollars according to IBM. There are some growing trends increasingly affecting these costs as well. For example, remote work has a negative impact on the cost of a data breach.

Healthcare breach costs are soaring, and compromised credentials are one of the most common causes of breaches.

In the modern IT environment that currently exists, having the right cybersecurity practices keep your users, information, and devices safe.

For example, one such cybersecurity practice is the use of single sign-on solutions that both improve cybersecurity and compliance at the same time.

With that in mind, the following are some general things to know, not just about the current cybersecurity environment but also how compliance becomes part of it.

Industries Affected by Cybersecurity Compliance

Whether or not you have to meet certain cybersecurity compliance guidelines depends largely on your industry. Heavily affected and regulated industries include:

• Healthcare: The Health Insurance Portability and Accountability Act (HIPAA) is one of the most well-known cybersecurity regulations. You might not even necessarily think of it as a cybersecurity regulation, but that’s precisely what it is. Under HIPAA, healthcare organizations and insurance providers are required to use controls to secure and protect data.
• Financial services: It’s apparent why any business in the financial services industry might face compliance standards. The most common regulations for this industry are in the Federal Financial Institution Examination Council handbook. The handbook was fairly recently updated to emphasize continuous monitoring and business continuity internally and across the entire supply chain. Also relevant to financial services is the Service Organization Control (SOC) Type 2, developed by the American Institute of Certified Public Accountants.
• Government: Increasingly, local, state, and federal government entities are being targeted by cyberattacks. In May 2021, the Biden administration signed an executive order aimed at protecting the federal infrastructure. Under the EO, federal agencies have to use new standards and tools to maintain software supply chain security.
• Consumer businesses: Businesses with direct public consumer contact, which includes retailers and restaurants, are increasingly using digital technology as a way of communicating with customers and improving their experience. Because of that, there are growing regulatory requirements these businesses must face like the California Consumer Privacy Act and the Consumer Data Protection Act, recently passed in Virginia.

The Broad Meaning of Cybersecurity Compliance

Cybersecurity compliance isn’t based on a stand-alone regulation or standard, although there are applicable, specific ones.

Depending on your industry, there are overlapping standards, and as such, using a checklist approach may not be comprehensive enough or it could end up creating more work than is necessary.

What Data Is Subject to Compliance?

Laws related to cybersecurity and data protection focus primarily on the protection of sensitive data. Sensitive data includes protected health and financial information, as well as personally identifiable information.

Personally, identifiable information includes first and last name, date of birth, social security number, address and mother’s maiden name. Protected health information includes medical history, records of admissions, information about medical appointments and prescription records.

Financial data can include social security numbers, bank account and credit card numbers, and credit history and ratings.

Also considered potentially sensitive information are IP addresses, email addresses, usernames and passwords, and marital status. Race, religion and biometric authenticators are sensitive as well.

The Benefits of Compliance

If you’re an organization that has to be meet certain regulatory guidelines or laws related to cybersecurity, making sure you’re compliant has a number of advantages. First, of course, if you’re found non-compliant, you could have to pay fines and penalties in the event of a breach.

However, when you strictly follow requirements, it reduces your overall cybersecurity risk and all of the associated direct and indirect costs that come with that. Indirect costs of a cybersecurity event can include loss of business, damage to your reputation, and business interruption.

When you have proper measures in place, you can protect your organizational reputation, maintain trust with consumers, and build customer loyalty.

You’ll operate more efficiently when you have well-defined systems in place for the management, storing and use of sensitive data.

If you aren’t already dedicating proper resources to cybersecurity compliance, start with creating a team. A compliance team is something you should have, even as a small or mid-sized business. From there, move to the creation of a risk analysis process and begin setting controls and policies. Make 2022 the year you go all-in with cybersecurity compliance.