These four resolutions will ensure effective cybersecurity and robust compliance in 2024
Every new year offers a fresh start for business organizations as well as for individuals. New Year Resolutions are a tradition that stems from our desire to do things better in the coming year. As with all resolutions, half the battle is identifying the improvements; the other half is doing the work to implement them.
With another new year ahead of us, these Four For ‘24 will enable organizations to improve their cybersecurity postures and achieve compliance with all applicable regulations.
Resolution 1: Confirm Compliance with All Regulations that Apply to Your Organization
In today’s business climate, most organizations are governed by multiple regulations based on the type of functions they perform internally and externally, as well as where they are performed. As an example, hospitals must comply with HIPAA regulations, including the Security Rule, Privacy Rule, and Breach Notification Rule. In addition, hospitals whose gift shops and cafeterias accept credit cards and debit cards in payment for merchandise, food, and beverages must comply with the Payment Card Industry’s Data Security Standard (PCI DSS).
Virtually all industries can offer examples of organizations who are governed by at least two different regulations. The plurality and frequent overlap of regulations can make it difficult for organizations to understand exactly what regulations, and which specific requirements of each regulation, apply to them. And yet this scope must be understood before compliance initiatives can begin.
One way to approach this resolution is to develop a checklist based on your thorough review of all regulations and requirements that apply to your organization. Then, use the checklist to walk through the status of each requirement, noting either full compliance, partial compliance, or no compliance. This will serve as your roadmap to achieving full compliance with each applicable regulation.
Organizations who lack the required resources to work that roadmap—or even to create the roadmap—can jump to Resolution 2 and seek help from experienced cybersecurity and compliance specialists.
Resolution 2: Conduct a Security Assessment
So your in-house staff are stretched too thin right now. Or they don’t possess the required expertise. Or lack relevant experience. These shortfalls don’t prevent you from determining which regulations and requirements apply to your organization.
An alternative approach for obtaining this vital information is to schedule a security assessment with a certified professional. Your security assessment can be customized to discover all of the regulations that apply to your organization, and the degree to which you are compliant with each (i.e., full, partial, or no compliance). An experienced, credentialed security assessor will take the burden off your Information Technology team and get the job done efficiently and thoroughly, delivering the information you need to achieve full compliance in 2024.
Security assessments are the backbone of any self-respecting cybersecurity and compliance program. Most organizations are required to conduct security risk assessments annually. The payment card industry, for example, requires assessments every year. It also requires vulnerability tests every 90 days for larger merchants. HIPAA assessments are generally required annually as well.
The ISO/IEC 27001 standard, the NIST cybersecurity framework, the Sarbanes-Oxley Act, and the Gramm-Leach-Bliley Act all require routine security assessments to maintain compliance. For organizations who supply goods or services to the U.S. Department of Defense (DoD), maintaining contractor status requires demonstrated compliance with the Cybersecurity Maturity Model Certification framework (CMMC 2.0). This process begins with a mandatory security gap assessment. Failure to comply, or to have your compliance properly certified, will jeopardize your DoD contract.
Resolution 3: Review Cybersecurity Policies for Inclusion of AI Risks
Security policies and procedures are based on (1) security best practices in your industry, and (2) regulatory compliance requirements that apply to your organization.
A compliant security program relies on a complete set of policies and procedures that meet these standards. Amending them as your organization grows and changes is vital, as is maintaining them so they can be accessed and used with confidence by those responsible for implementing them.
The use of artificial intelligence (AI) is increasingly common in business. Still in its infancy, however, AI lacks standards for even basic aspects of its use—such as disclosing when an image has been altered by AI or when text has been created by AI. It’s no wonder that 82% of Americans want AI to be regulated.
Absent the inclusion of AI in existing regulatory requirements, professional cybersecurity consultants and large enterprises are beginning to blaze the trail toward standardization. Every organization who uses AI needs to:
- Be aware of the emergent risks, and
- Include AI usage policies as part of their overall cybersecurity policies.
The Gramm-Leach-Bliley Act in the financial services industry, the PCI Data Security Standard in the payment card industry, the HIPAA Security Rule in the healthcare industry, and other regulations require written policies and procedures to support an organization’s security program.
Across all industries, best practices require that organizations keep their security policies up-to-date and reflective of all significant internal changes, especially changes to infrastructure, information systems, and third-party suppliers.
Resolution 4: Schedule a Vulnerability Assessment
Many security risk assessments (see Resolution 2) include the completion of vulnerability assessments as well, due to their importance in discovering security gaps. That’s why, in addition to being a resolution for 2024, conducting a vulnerability assessment should become an annual activity.
The mainstay of a vulnerability assessment is internal and external penetration testing, which can reveal weaknesses in your infrastructure that can be exploited by cybercriminals seeking to access or steal data.
Vulnerabilities may occur in physical, digital, and social forms.
- Physical vulnerabilities would include a security door that has been propped open for employee convenience, or passwords displayed on post-it notes attached to a computer or file folder.
- Digital or electronic vulnerabilities would include weak passwords or the absence of a robust password policy, outdated firewalls, and expired software, as a few examples.
- Social vulnerabilities are related to employees, who are known as the weakest link in the security chain for good reason. Phishing scams are a prime example of how hackers successfully exploit unsuspecting or poorly trained employees in order to acquire login credentials to access sensitive information or emails.
When scheduling your vulnerability assessment, make sure that all three types of vulnerabilities are addressed. Your assessment should include scans from the outside (as a hacker would perform) as well as onsite and remote vulnerability testing. In addition, become acquainted with the three types of penetration testing and consider which one is right for your organization.
Each new year offers an opportunity to identify improvements we’d like to make and to resolve to actually implement those improvements. The four resolutions suggested here will enable you to conduct business more securely and achieve full compliance with the regulations that apply to your organization. To achieve them, you must learn all of the regulations that apply to your organization, and to what degree you comply with them. A security assessment is a powerful stride toward that objective, just as a vulnerability assessment is a powerful tool for revealing weaknesses in infrastructure. Finally, with the use of artificial intelligence seeping into many business functions, individual organizations must develop thoughtful policies to identify and reduce the risks associated with AI.