Cybersecurity compliance is undergoing a massive shift, with regulatory frameworks rapidly introducing more complex rules, stricter enforcement, and tougher penalties for non-compliance. We see this exemplified through the vast reach of the FTC Safeguards Rule now affecting millions of businesses, the recent changes in HIPAA enforcement to levy fines against more businesses, and the imminent arrival of CMMC 2.0’s tighter controls.
To thrive in this more perilous regulatory environment, security and IT teams must adhere to even more comprehensive cybersecurity strategies that demonstrate effective protections to regulators and prevent data breaches. Fortunately, businesses can cut through the complexity of their cybersecurity compliance responsibilities with one simple technique. It all comes down to asking yourself three fundamental questions:
- “Where is my data?”
The first step to securing data is knowing where it to find it. Once you catalog each device, data source, storage location and transfer point where data resides, you can define a cybersecurity strategy that builds a fortress around those targets. Pursue a process of data mapping and classification. Detail all data assets and classify data so that you fully understand what data is sensitive and subject to regulatory protections.
For instance, medical facilities with Personally Identifiable Information (PII) and health data covered by HIPAA, or a business with financial data regulated by FINRA, should flag that data as carrying special responsibilities for how it must be handled and secured. Crucially, a business should treat all devices and environments with the assumption that sensitive data resides there (even after performing data mapping) because, in practice, this is too often true—and under-securing such blind spots is a common recipe for a data breach.
To complete the picture on your data’s locations, perform a data flow analysis to track the flow of data through your business, from its creation to its deletion. Doing so will identify any channels where data transmission needs to be secured. Make sure that trustworthy file transfer solutions and encrypted communication protocols are in place to fully secure all data in transit.
- “Who can access my data?”
Regulatory compliance often hinges on whether or not a business can prevent unauthorized access. Securing device and system access—thereby securing data against breaches and your business against regulatory action—should be accomplished via layers of safeguards and active security measures.
Implementing role-based access control (RBAC) empowers businesses to closely manage who can access data within its organization. By allowing each employee to access only the data they need to fulfill their role and tasks, a business vastly reduces internal threats and the risks that arise when a single employee’s device or credentials are compromised. Adding multi-factor authentication (MFA) will then protect data even in that inevitable credentials-have-been-compromised scenario.
Implementing continuous security monitoring to detect anomalous behavior and take automated and manual actions to mitigate attacks is essential, as is automated alerting to ensure swift security responses. Performing access audits to verify the effectiveness of access controls and recognize attack attempts is another important practice. Businesses can also harden access controls with automated protections that make data inaccessible when a device shows signs of compromise. This can include removing or quarantining a device’s data when the user fails too many login attempts, or when the device exits a geo-fenced area where access is approved.
- “How do I keep data available but confidential?”
Going beyond robust access control, businesses must introduce layers of administrative and technical protections to ensure that data remains available to those that should have access, but confidentially protected from those that should not.
Among these protections, data encryption is an absolute requirement, for data at rest and data in transit. Implement end-to-end encryption with strong encryption protocols, and protect every device able to access your data with system- and user-level encryption to prevent both internal and external network-based threats. With effective encryption, even if an attacker does access data, they won’t be able to read it.
Have robust backup and disaster recovery capabilities to make sure data remains available and that you maintain business continuity throughout and after an incident. This functionality should include regular data backups, off-site storage so that data remains secure even if attackers target backup data (which they often do), and regular testing to ensure you can execute an optimal recovery if and when the need arises.
A detailed incident response plan is another critical measure for achieving the best outcome in a high-risk scenario. Make a plan that includes a step-by-step procedure to follow when you need to detect, swiftly respond, contain, and recover from a data breach. At the end of the day, having a strong plan will meaningfully improve a business’s circumstances and standing with regulators following an attack.
Finally, employee training is a key aspect of data confidentiality, because unsecure behavior by businesses’ own workers is still the chief cause of data beaches. Continuously training and testing employees in the latest threats, from phishing schemes to credential management to safe internet browsing, pays dividends when it comes to maintaining security and compliance.
Ask the right questions, get the right answers
With the consequences of insufficient cybersecurity and regulatory non-compliance growing more severe, businesses must take decisive steps to protect their customers from harm, and themselves from steep fines and damaged reputations. By asking the right questions about where sensitive data resides, who has access and how to keep data confidential and available, businesses can arrive at the right answer and implement comprehensive and compliant layered security protections.
About the Author
Cam Roberson, Vice President, Beachhead Solutions, a cloud-based platform providing PC & device encryption, security, and access controls necessary for compliance to CCMC 1 & 2, FTC Safeguards, HIPAA, ISO 27001, NIST guidelines, and more. Cam began his career with Apple Computer, where he held several senior product management roles in the computing and imaging divisions.
Cam Roberson
408.496.6936 x6866 (direct)
925.895. 5726 (mobile)