Times Have Changed And We All Need To Start Thinking About Security And Compliance
By Zina Hassel, ZLH Enterprises & ASCII Member
Many companies diligently pursue achieving compliance and believe that their information systems are secure. Unfortunately, this isn’t usually the case. Just making certain that compliance initiatives are in place does not guarantee an optimum security posture. The face and tactics of cybercriminals evolve daily creating an environment requiring continuous monitoring. A safe assumption is… cybercriminals will breach every company, and the question is “how quickly can you stop it?”.
Security and privacy are critical to our businesses and our nation. As an industry, we have responded rapidly, learning and creating solution alternatives from each incident. The biggest problem is that most companies don’t understand the urgency of the problem and we haven’t helped by speaking in a “foreign” language that only industry professionals understand! So, let’s take the first step on behalf of our clients and start with a collection of terminology that has evolved over the last 10 years and make sure everyone understands what they need to do and why.
What’s The Difference Between Security And Compliance?
While there are some overlaps between security and compliance, genuine cybersecurity is much more than compliance.
- Cybersecurity is being secure at the operational level. Every day operational levels typically change in response to a new breach, hack, malware, or a bad actor. As a result, a cybersecurity program needs continuous monitoring with the flexibility to respond to the needs of the business and the dark drivers in the market. This is what a Security Operations Center (SOC) can do for your business.
- Compliance is a series of guidelines and standards for businesses and organizations developed by a variety of State, Federal and International governing bodies. They provide a framework that establishes the minimum amount of protection to define protected data as “secure”. There may also be penalties for non-compliance with these standards.
What Are Cyber-Risk Assessments, IT Security Assessments, Security Audits, Compliance Audits, Performance Audits And Risk Mitigation Reports?
- Cyber risk assessment - A cybersecurity risk assessment identifies the various information assets targeted by a cyberattack (such as hardware, systems, laptops, customer data, and intellectual property), and then identifies the various risks that could affect those assets. The cyber-risk assessments, security assessments, and IT security assessments are basically the same.
- Security audit: A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of policies and procedures established by the company. Another name for a security audit is an information security audit.
- Compliance audit: A formal process more typically performed by a third-party. A checklist design provides organization and assurance that the policy, law and an enforcement control mechanisms are in place.
- Performance audits: A Performance Audit identifies opportunities to implement improvements and associated plans. Today, a Risk Mitigation plan may also be known as a Performance Audit.
If a security company “says” they provide cybersecurity, exactly what does that mean?
If you search the term “Cyber Security” you will find endless pages filled with companies that offer equipment like firewalls, or security software and reporting for IT companies. Or, you’ll find ads for the big consulting firms like Accenture and Deloitte as well as 100’s of companies with catchy key phrases that don’t tell you exactly what they provide. Here are some of the key phrases you may hear:
- “Managed security platform (Manage what?)”
- “Secure and compliant IT infrastructure” (Just infrastructure or software? HIPAA, PCI?)
- “Protect sensitive information and assets with confidence (What information, and who’s assets?)”
- “Cloud-based cybersecurity (Only protects the information in the cloud?)”
- “SIEM (Security Information & Event Management) as a Service (Is this for an MSP or a company to buy?)”
- “Zero Trust Networks (What does this mean and would it be needed?)”
- “Software-defined perimeter (What perimeter?)”
What should your checklist include so you can understand all of the elements required to assess and manage the current IT and software ecosystem? You can either work with one vendor or multiple vendors to build the checklist model. It’s never a bad idea to have a disinterested third party involved in the assessment process because an assessment isn’t a pass or fail scenario. An assessment reports on those areas that are working well, and other areas where vulnerabilities may exist and create a recommended risk mitigation plan. Government agencies view assessments as an essential component in being both compliant and secure.
Key Elements Of Ongoing Security And Compliance Plan
- Access Control - a systematic approach to establishing end user privileges, including access to applications, network access, associated equipment providing rules for Identity Access Management.
- DDoS Mitigation - designed to block Distributed Denial of Service attacks from taking down a network, application, or asset; especially relevant for companies that do business online.
- Endpoint Protection - a comprehensive plan and implementation to protect desktops, laptops and smart devices including the basics of antivirus, spyware, personal firewalls and extended oversight to monitor normal usage, applications, behavior, and more.
- Incident Response - a detailed response to any incident that might occur, testing all aspects of the system from insider threats, to endpoints, and network vulnerabilities.
- Managed Services – Services that provide managed oversight of customer equipment, including continuous monitoring, system configuration, patch management, and troubleshooting.
- Managed SIEM - a real-time, managed solution for Security Information & Event Management designed to provide a comprehensive perspective of a company’s environment. It also associates data with potential threats as a preemptive action.
- Penetration (PEN) Test – a deliberate mock attack to gain access to a network, software, applications, and hardware; usually required for most compliance types.
- Perimeter Security – establishing one or more perimeters with specific boundaries for various types of networks, applications, geography, and users with an objective to
- minimize attacks and stop an attack as quickly as possible.
- Professional Services – initial data gathering about the company processes, IT and
- security assets, compliance requirements based on industry, process, transactions as
- well as current policies and procedures.
- Risk Assessment – test the company’s IT ecosystem, current security posture including
- a complete report of requirements and a risk mitigation plan for improvement.
- SOC Center – Security Operation Centers (SOC) also provide managed services with an expanded focus on security management, assessment, tracking, remediation, ongoing compliance and incident response.
- vCISO – as an alternative to hiring a CISO (Certified Information Security Officer), many partners are providing access to vCISO’s (Virtual Certified Information Security Officer’s) for planning, designing, maintaining, and evolving a strong security posture and compliance environment.
Why Should Small And Medium-Size Companies Implement Enterprise Level Security?
The biggest obstacle to having a tough, strong security program is the false confidence that your company is too small for attackers to bother with. Attackers know small and medium businesses are the easiest targets, because there are fewer resources in smaller businesses with most employees wearing multiple hats.
Compounding the problem, experts frequently present security requirements as a confusing, expensive maze causing many companies to lack simple and inexpensive security defenses. In reality, there are a lot of options any company can implement by building a plan, and working the plan one layer at a time.
The key is to take the first step and build a plan. Don’t be afraid to outsource your IT and to have multiple partners provide services based on their expertise. The key is to find a partner you trust to simplify the process; you need to understand why, when, and the cost of certain equipment, software, monitoring, and assessment. Partner with a 3rd party company to perform your security assessment, risk mitigation, and ongoing monitoring… it’s their responsibility to ensure that you have access to the right tools and plan to enable you to keep your company safe and secure.
“But I’ve Already Got A Plan It Place And It’s Just Fine”
That’s actually great news! Having a plan is the first step, but it’s just the beginning. Have you ever performed a security risk assessment? Do you have a Certified Security Officer overseeing the program? Does your plan include written policies? Does your security plan include written goals to manage ongoing risk and an incident response? Do all devices require a login for access to all sensitive data and applications? Do you use encryption?
If you answered “No” to any of these questions, you need to stop and review your risk, start with a Security assessment. You may think you’ve done enough and feel that you’ve spent enough, but your risk of being able to identify a breach and stop it is not assured. Here are some sobering facts:
- According to the Small Business Administration there are 30.2 million U.S. SMB’s
- 61 percent have already experienced a cyber attack
- Most SMB’s only have two layers of defense (Firewalls and Anti-Virus)
- The CNBC Small Business Playbook indicates it is critical for SMB’s to adopt cybersecurity
-
- Cyberattacks now cost small companies $200,000 on average
- 43 percent of cyber attacks are aimed at small businesses, but only 14 percent are prepared to defend themselves
- Insurance carrier Hiscox reveals that 60 percent of these small businesses go out of business 6 months after being victimized
- The IBM 2019 Cost of a Data Breach indicates the overall cost of the average U.S. data breach is $2.65M. (companies under 1000 employees)
- The average cost for every lost record per employee is $3,553 (companies under 1000 employees)
- The average cost per record was $2.20 for breaches of less that 10,000 records
- It takes 245 days for a full life cycle of a malicious attack from breach to final
-
- And it takes almost three years to pay for the cost of the breach:
- Year 1 = 67 percent
- Year 2 = 22
- Year 3 = 11 percent
Ask yourself again, have I really done enough to address both my compliance requirements and my
security posture? Am I willing to bet my company’s future on that position? If not…find a trusted
partner and begin to put those essential safeguards in place!
About The Author
Zina Hassel is President and Founder of ZLH Enterprises and has been a member of The ASCII Group since 2015.
About The ASCII Group, Inc.
The ASCII Group is a vibrant reseller community of independent MSPs, VARs, and other solutions providers. Formed in 1984, ASCII has more than 70 programs that provide turnkey cost-cutting strategies, innovative business building programs, and extensive peer interaction. ASCII members enjoy benefits such as marketing support; educational information; group purchasing power; increased leverage in the marketplace; and multiple networking opportunities. These programs enable ASCII members to increase revenue, lower operating costs, and grow service opportunities. ASCII is the oldest and largest group of independent information technology (IT) solutions providers, integrators and value added resellers (VARs) in the world. Learn more at www.ascii.com.