28 views | Jan 13, 2020, 01:53pm

Why Prioritizing Cybersecurity Makes

Compliance Easier
Milton Bartley Forbes Councils Member
Forbes Technology Council COUNCIL POST | Paid Program
Innovation

POST WRITTEN BY

Milton Bartley

Co-Founder, President and CEO of ImageQuest, providing IT compliance and cybersecurity expertise to clients in
regulated industries.

Photo: GETTY
Every month in 2019, a new high-profile data breach made headlines. More than a
billion customers of various companies had their private information stolen by hackers
or exposed on unsecured servers. This poor management of private data angered many
– including lawmakers. New data privacy laws in California and New York take effect
this year– and Microsoft and Apple seek national data privacy regulations.

If your organization collects Personally Identifiable Information (PII) – or works with

client organizations who do – you face increasing data compliance regulations. That is
one result of all these mega-breaches.

Another result is the market now expects you to have your cybersecurity act together. S
many breaches result from simple steps not taken – weak passwords, overlooked
patches and updates, outdated security. Suffer a breach now, and not only do you face
angry clients who may leave and sue you, you also face business losses, regulatory fines
negative publicity and possible bankruptcy.

Even without a breach, your large regulated clients now must put you through a rigorou
vetting process. If they find that you’re compliant – but not secure – you risk losing tha
business.

Some bad actors out there work for enemy nations, and the breaches they cause could
leave you with systems damaged beyond recovery. Just last month, IBM published a
warning about an Iranian wiper virus called ZeroCleare, which overwrites a crucial
element of an operating system, destroying file structure and disk partitions – and
permanently erasing data in the process.

Your organization needs to be out ahead of this bad news. Cybersecurity must be a
priority if you handle sensitive data. Just because you’re meeting IT compliance
requirements does not mean you’ve plugged all your vulnerabilities.

Here’s an example: Your organization meets your regulatory data compliance

requirements. You limit who works with it, shield its exposure to the public, and you’ve
checked the boxes on dozens of other regulatory requirements because someone at you
company wrote policies and plans that met those requirements.
Then one day, an employee thinks they’ve received an email from the boss, asking for
payroll data. The email arrives right as project deadlines swamp the employee with
work. So they respond to the message and move on. But it wasn’t a legitimate request –
and now malware is rapidly exfiltrating your data to overseas servers controlled by
criminals.

Compliant Is Not Secure

Our company provides IT compliance and cybersecurity services to clients in regulated

industries. The message we try to drive home is: If you focus on increased cybersecurit
as your outcome, then it is far easier for you to be compliant. But if you only focus on
being compliant, you may miss the opportunity to make your business more secure.

Let’s take our harried employee from above. Let’s say they work at your law firm, which
serves clients in healthcare and banking. Your clients are governed by HIPAA and FFIE
rules, which means you are too, because you have their data in your case files. This
means your organization is required to hold cybersecurity training annually. But
recently you’ve had other priorities to cover, and your budget hasn’t included additiona
IT funds.

So HR found inexpensive training materials online and forced everyone – including the
harried employee – to watch a boring training slideshow. Because it was boring – and
because it was low priority – the messages weren’t reinforced with periodic reminders
afterwards. Workers forgot about the training and returned to their old habits. A few
months later, your employee opened the door to a data breach.

Now, let’s take an example from one of our clients. An employee, working on a compan
computer at home, got a call purporting to be Apple Care Support. The caller claimed
that her Apple ID appeared to be compromised. This employee had been through live
security training that also is reinforced periodically. When the caller asked for her
password to set things straight, the hair went up on the back of her neck. She terminate
the call. Good security training gave her instincts to sense trouble.

The FBI says the most common cause of a data breach is an employee clicking a
fraudulent link or opening a fraudulent attachment in an email. You don’t prevent that
by meeting regulatory compliance.
To be sure, I am not saying cybersecurity will prevent every employee you have from
making a mistake. But it can go a long way toward protecting your assets when that
mistake happens.

Compliant – By Being Secure

When we develop cybersecurity plans for our clients, among the issues we focus on
include: How can we quickly detect intrusions? How do we stop malware from
spreading? Ransomware from encrypting all the backups? And what is needed so this
client can recover as fast as possible?

Compliance audits don’t ask those questions. Usually, they ask: Do you have a plan? It’
very easy to say yes, even if your plan’s unworkable in reality.

Here’s another example: A Disaster Recovery Plan. Have you rehearsed yours? You can
tell a compliance auditor you have one – stored in a file somewhere. But without testin
it, are you sure your plan follows the correct steps?

Our clients also say yes, they have a plan – and are confident in knowing it will work.
Because we’ve helped them build and test it, our clients know it’s realistic. They know
they can get back in business rapidly whether they’re offline because of malware – or a
fire.

Our cybersecurity processes help our clients develop good answers to regulatory
questions. They’ve done our Risk Assessments, and discovered oversights they would
have missed.

And through our documentation processes, clients have thought through important
organizational issues in security and compliance. The end result is they are compliant
through the steps they took to be secure.

Cybersecurity and compliance are not synonymous. But if you give cybersecurity the
priority our world now requires, compliance will follow – and so will business.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTO

and technology executives. Do I qualify?
 Milton Bartley

Co-Founder, President and CEO of ImageQuest, providing IT compliance and cybersecurity expertise
to clients in regulated industries. Read Milton Bartley's full execut... Read More