CSAM: Surprising Truths about Compliance and Security
In our final post for Cybersecurity Awareness Month, Tim Brown looks at the growing trend of industry-agnostic compliance laws and the relationship between compliance and security.
Compliance laws often drive security investments. When the European Union passed the General Data Protection Regulation (GDPR), organizations scrambled to get their systems and processes in line. Since then, similar laws surrounding data security and breach notification requirements have been passed in the US with similar outcomes.
Even if your organization doesn’t currently fall under compliance regulations, odds are good you will at some point (either at your current organization or elsewhere during your career). Today, to close out National Cybersecurity Awareness Month, I want to talk about the future of compliance and its relationship with security in general.
Today’s compliance laws are only the beginning—expect regulations to get tighter in the future.
Over the past few years, the general public has grown increasingly aware of data privacy issues. Each time a major breach hits the news, the public grows a little more aware of the potential dangers of sharing their data online—and lawmakers have been responding.
For decades, we’ve had industry-related regulations under which data and personal information was protected, such as HIPAA for healthcare, SOX for finance, and PCI DSS for credit card transactions. However, GDPR kicked off a trend of industry-agnostic data protection regulations. At the time of writing, 11 states in the U.S. have subsequently passed laws surrounding data security and privacy, including California, Nevada, Maine, and New York. If you reside in one of these states or your business’s customers do, you should be aware of the main points of these regulations (CSO published a good overview in August).
If recent trends are any indication, we can expect data laws to continue proliferating. If your organization falls under any new regulations, you should seek proper legal counsel before taking on any compliance-related projects.
Compliant doesn’t automatically equal secure. Focus on a robust, complete security program to stay safe.
As mentioned earlier, compliance often drives investments in security. Some businesses only focus on clearing the minimum compliance guidelines. However, compliance and security aren’t twins—they’re cousins. Clearing the compliance bar doesn’t mean you’re safe from cybercriminals (or data breaches or, more importantly, lawsuits).
To truly protect your organization (and its reputation), you need to offer a more robust security program. Our previous cybertips from my colleagues during National Cybersecurity Awareness Month offer a broad perspective on building out a good security program. Regardless, I think it’s worth reiterating some points:
- Focus on the fundamentals: You can prevent many attacks simply by practicing the basics well. Patch often to help ensure all your systems and software have the latest security updates, back up data often so that in the event of a successful attack you can quickly roll back to a clean system without losing too much data, keep up with any antivirus updates, and make sure to employ email security to keep spam, phishing, and other email threats out of the organization.
- Look internally: Many businesses spend a lot of time preventing external threats. However, insiders play roles in a large portion of data breaches, whether by accident or by malice. So, make sure to put in controls and safeguards to prevent insider threats. One option includes policing access rights to make sure no one in the organization has excessive privileges. This can help prevent sensitive data loss if someone starts trying to maliciously harm the organization, or if their accounts get compromised from external threat actors.
- Know your threats: Defeating cybercriminals means knowing how to adapt to their threats and tactics. Whether it’s common issues like email threats, old standards with new twists like ransomware leaving behind additional malware to extend an attack’s shelf life, or emerging issues like living-off-the-land attacks (LotL), try to stay in the loop by following the security press. Additionally, consider employing a strong security information and event management tool like SolarWinds® Security Event Manager (SEM), which incorporates threat intelligence to help you detect and respond to emerging threats.
- Think strategically: Individual tools and tactics help, but they need to roll up into a larger security strategy. Before setting policies for your organization, try to determine the key assets and accounts. From there, you can put extra safeguards around the top 20% that pose the greatest risk to the business while making life more convenient for the remaining 80% of employees.
- Practice makes perfect: Once you’ve built your security strategy, make sure to train both your own technicians as well as your users. But remember that training doesn’t end with one session—you need to build an ongoing culture of security. That takes practice and reminders. For your end users, try to send periodic best practice email reminders around different topics, like recognizing scams and phishing or password guidelines. For your own team, make sure you have an incident-response plan in place so everyone knows their roles, and consider running practice drills for security incidents ahead of time so people remain calm under pressure.
More regulations on the horizon?
As the public grows more aware of data breaches and their potential ramifications, it’s a safe bet that we’ll see data laws increase in scope. But don’t forget that compliance alone doesn’t make a business secure. Preventing data breaches and cyberattacks requires a fully integrated, well-considered security strategy.