Insurance companies are raising the bar with higher expectations on businesses to protect their valuable data in order to acquire cyber liability insurance. But, it’s not just insurance companies that are raising the bar. Governments around the globe are now requiring more industries be compliant with some type of standard to better protect the data they possess. What many people don’t realize is these standards are all based on the protection of personal/private/confidential/sensitive/valuable information or data. Whether it’s HIPAA, NIST 171, GDPR, CCPA, CIS 20 or another cyber security standard, the goal is to protect the customer or client’s data as a requirement of doing business. The governments want businesses to make it more difficult for cyber criminals to steal valuable data. If you look at the core of these various compliance standards you’ll find they all begin by requiring a risk assessment and then move towards a more holistic approach to cyber risk management.
What does holistic approach mean?
The most common view of cybersecurity is to protect hardware and software solutions. While this is an important element, it is not enough. Over 65% of breaches are caused by human error which means cybersecurity training needs to be included in a solution. Do you have separate public and private networks for employees and clients? Are there policies and procedures in place about security and encryption of valuable data if/when it is removed from your office? Creating a culture of compliance starts at the top, with the leadership setting the example for behaviors and expectations on data security.
What’s the value of your data?
One of the first steps in a cybersecurity program or plan is to identify all valuable data and where it is stored and transmitted. Many overlook the first part of this, identifying the valuable data. For example, if you ask most healthcare providers “Which is more valuable on the darkweb, a credit card or a patient record?”, they will respond that the credit card is more valuable. The fact is the patient record (PHI) is worth 50 times the credit card. This means healthcare providers with PHI are 50 times more valuable to cyber criminals. The next part of this is to identify where the valuable data resides. For example, many billing personnel export 100% of the data to a local workstation, then save it in the download folder on the desktop, or on a shared network drive unencrypted. The data is usually saved unencrypted in the browser cache too. It’s just waiting to be stolen or locked by the criminals.
Why start with an assessment?
Most business owners or managers of smaller companies don’t understand the value of a full Security Risk Assessment which is required by most of these compliance standards. A risk assessment provides you with a list of issues that need to be addressed. By prioritizing this list, you create a risk management plan to address the issues and improve the protection of your valuable data. As you work through and correct issues you change the culture of your work environment to be more aware of protecting the data and creating a culture of resilience. Over time the policies and procedures become Standard Operating Procedures for your business. You simply operate more securely, greatly reducing your likelihood of a breach.
What’s the goal?
So, what’s the goal of all these different compliance standards? Why does the government care? Why are the governments sticking their noses in company business? It’s actually to protect the business! Protecting the individual’s personal information helps to protect a company’s reputation and maintain the trust of its customers, ultimately keeping the company in business and profitable.
Are you ready to begin protecting your valuable data and creating your own culture of resilience? Start with our 2 minute Cyber Quick Check to see your current level of vulnerability.