Security and compliance; the terms are often used interchangeably. However, while they are related practices, both are different approaches to a common problem: ongoing security threats.
The relationship between compliance and security is best explained with a health analogy. Everyone knows that to stay on top of your game, it is essential to follow a healthy lifestyle, eat healthy foods, exercise, and be mindful of your physical and mental well-being. However, if you do not know your family’s medical history or choose to ignore it, you may still have high cholesterol that requires medication to keep it under control, even with a well-balanced diet.
What Does This Have to Do with Cyber Security and Compliance?
We can all agree that living a healthy lifestyle good and should be practiced as often as possible. Green vegetables, whole grains, low-fat milk, and exercise are all good stuff, and no doctor would tell you otherwise. But what if you’re gluten-sensitive, lactose intolerant, or you have a bad knee, and running is out of the question? Does healthy living no longer apply?
Of course, it does. You simply have to make adjustments. Living a healthy lifestyle will prevent sickness and health issues, but what healthy eating is for you might not be quite the same as for your gluten-sensitive, lactose-intolerant friend. The concept remains; only the tools to get there are slightly different.
The same applies to compliance and security. While there is some overlap, both compliance and security are necessary for the healthy operations of your business. Whereas compliance helps you maintain an “audit-ready” posture, your security tools are what allow you to sustain a “low-risk” outlook from a security perspective.
Let me explain.
Cyber security is a set of techniques and practices that you put in place to protect your digital infrastructure and electronic data from being compromised by cyber-attacks. Whatever those measures are is dictated by how you run your business, the type of data you collect, where it resides, who has and needs access to it to perform their job, and where this might result in vulnerabilities that need to be protected.
Whereas cybersecurity includes all the tools, processes, and operations needed to protect sensitive data, regulatory compliance aligns those security systems within the standards set by a governing body to call for a basic level of security for all businesses.
Over the past ten years, over 10,000 regulations have been placed on the books by local, state, and federal agencies pertaining to the handling, storage, and disposal of digital personal information (PII/PHI).
A few examples are:
- SEC Rule 17a-4 Electronic Storage of Broker-Dealer Records Graham-Leach-Bliley Act
- DOD 5015.2 Department of Defense
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security (PCI DSS)
- Gramm-Leach Bliley Act (GLBA)
- NY State Data Protection Act (SHIELD)
- Defense Federal Acquisition Regulation Supplement (DFARS)
No matter how small your business is, you will undoubtedly be affected by one or more of these government regulations. Naturally, some industries are more regulated, such as financial or medical. Still, all companies that hold information such as employee social security numbers, credit cards, and financial statements (credit applications, bank statements, order forms) fall under at least one of these regulations:
- Providers in the healthcare industry, you must follow HIPAA compliance. HIPAA is a federal law that aids in the privacy of patients’ health records. It imposes rules and regulations on healthcare providers and companies within the field to keep patients’ private health information (PHI) from being disclosed without their consent or their knowledge.
- Providers in the Defense Industry or working with Department of Defense agencies must meet NIST 800-171 and DFARS (soon to be supplemented by or replaced by CMMC) standards as these contractors often have access to classified or not information public.
- Any organization managing credit card payments need to adhere to PCI-DSS, which governs how you handle customer credit card data at the point of sale, data transfers, and data at rest in a server.
- Compliance regulations for those who operate in the financial industry are some of the strictest around. Not only are you subject to the Gramm-Leach Bliley Act, but you are also regulated by the Sarbanes-Oxley Act (SOX) and, if you happen to operate in the state of New York, NYDFS 500 regulations.
- To make things more complicated, regardless of your business vertical (or the subsequent compliance rules you need to adhere to) or the size of your business, all of us who collect or have access to data on NY state citizens are subject to the New York SHIELD Act (or Stop Hacks and Improve Electronic Data Security Act). This act requires any business or individual that owns or licenses computerized data on NY residents to maintain the safeguards necessary to protect their sensitive information.
In other words, compliance dictates standards and outlines blueprints (i.e., what constitutes a healthy lifestyle) that force organizations to make cybersecurity an essential part of their business operations (healthy foods and exercise are fundamental to that healthy lifestyle). What specific security measures are appropriate for your business depends on size, vertical, and the sensitive data you must protect (i.e., family history, body type, etc.).
Cyber security and regulatory compliance work right alongside each other. If you’re trying to ensure that your business stays compliant, you need to buff up your cyber security practices and implement a strong security posture. You can take many methods to do this. If you’re unsure where to begin, give us a call. We would be glad to help you take the next steps toward creating a cyber-secure business.
All you need is a health coach to help you get started and remain on track.
