This year has been tough for organizations that have to pass compliance audits, and 2018 is not looking any better. The regulatory landscape is going to keep on changing. In the wake of the Equifax breach, the New York Cybersecurity Rules, which became effective in March 2017 and were already the strongest in the U.S., are being extended to all credit reporting agencies that do business with New York’s regulated financial organizations. NIST Special Publication 800-171 comes into force December 31, 2017, and will regulate the protection of controlled unclassified information (CUI) in non-federal information systems and organizations. And perhaps most far-reaching change will come into force on May 25, 2018 —the EU’s General Data Protection Regulation (GDPR), which applies to every organization that processes personal data of EU residents, no matter where it is based.
Are you prepared for all of these regulations? Many organizations aren’t. In fact, it can be hard to even know where to start.
Here are 5 key strategies that will help you comply with new laws and regulations protecting information confidentiality in 2018 — and be prepared to quickly comply with the others that will undoubtedly follow in the years to come.
- Assess your current cybersecurity status, and get the right help.
Companies from highly regulated verticals are more likely to already have the awareness and processes necessary to adapt to new regulations; other organizations still need to expand the visibility of cybersecurity on the C-level. Because not all companies have cybersecurity professionals on staff or can afford to hire them, demand is increasing for tools that automate the required technical controls, and for security consulting and services to implement and manage those tools and processes.
- Make cybersecurity a priority at the highest level.
Many businesses have shrugged off data breaches over the last few years, offering credit fraud protection to impacted customers but no real executive accountability. But the fact that Equifax’s CEO, CIO and CISO simply retired after the recent huge data breach is raising many eyebrows. U.S. regulators are trying to establish responsibility on the C-level so that data breaches cannot be simply covered by insurance and written off. In the EU, the GDPR is already crystal clear: Executives are accountable for ensuring that data is safe. Therefore, the board of every enterprise should not only initiate improvements to security programs, but also ensure the flow of stable funding to those programs. Ultimately, no one person can fix the problem of weak data security; it requires a business-driven approach led by senior leadership.
- Establish a risk assessment and mitigation process, and use it continuously.
Organizations need to establish a reliable risk assessment and mitigation process that will help them identify and prioritize the risks threatening their data security, so they can improve processes and policies to minimize those risks. And they need to understand that risk assessment is not a one-time event. Because both IT environments and the threat landscape are constantly changing, risk review and mitigation must be repeated on a regular basis, such as annually or quarterly.
- Stay alert to urgent issues that arise between your regular risk assessments.
Although risk assessment should be a regular process on the executive level, designated security personnel must always stay aware of the changing security landscape — an outbreak of a new malware variant or the discovery of a zero-day vulnerability cannot wait until the next board meeting. Establish a process for assessing and responding to new threats as the organization becomes aware of them.
- Adopt a secure framework for information protection.
Choose one of the available cybersecurity frameworks, and have your executives, security experts and IT professionals work together to adapt it to your unique environment, processes and culture. Remember, you can’t eliminate the possibility of a breach. But a breach itself is not what causes the most outrage from consumers and government officials; it’s how it is handled. There are two things that organizations repeatedly fail to do:
- Follow simple cybersecurity hygiene best practices. Think about simple things like network segmentation (Target) and patch management (Equifax).
- Notify the impacted clients and authorities in a timely manner. It took about 40 days for Equifax to disclose the data breach after they had become aware of it. Compare this to the 30-day disclosure requirement proposed by the previous administration, or to the 72-hour requirement in GDPR and the NY Cybersecurity Rule.
Once you’ve implemented these core strategies, no new data protection compliance regulation will be able to ruin your day. With an established and regularly maintained risk management strategy, you will be able to quickly adapt to the changing regulatory and cyber-threat landscapes and harden the security of your critical information.