What is compliance and does it protect your company?

Complying with standards and regulations is a fundamental part of modern cybersecurity for organisations.  

However, most companies can struggle with compliance because it can be tricky. It’s one of those things in cybersecurity that companies have to do, but many often wonder about the how? With so many terms, hundreds of systems to keep track of and controls to wrap your head around, many businesses, both large and especially small, find it difficult to see if they’re meeting standards or falling short.  

It doesn’t help that compliance laws and regulations can vary depending on the industry and region the company works in as well as by type of data being managed. Often companies, especially those with an international presence, are having to juggle various compliance requirements all at once. 

Despite this, compliance requirements take no prisoners. They are imposed on companies by law, regulatory bodies, and also private industry groups like Payment Card Industry with PCI DSS. If you don’t comply, you’ll expose yourself to legal challenges and hefty fines. 

What is compliance and why is it needed? 

Companies are teeming with sensitive data that, if leaked, can be leveraged by threat actors to attack confidentiality, integrity and availability (CIA). It is always important to remember that threat actors always have goals with their cyber attacks and they aim to achieve things like:  

• Denial of service attacks 
• Steal sensitive data to sell on dark web 
• Ransomware attacks 
• National and corporate espionage 
• Fraud 

To accomplish this, threat actors have to mess with data. Data is the lifeblood of IT and, especially in the modern world, a company. Threat actors will steal, encrypt, damage and alter it to carry out attacks. 

With cyber threats like these, it’s important that standards of security are being maintained. Especially considering the fact that no company exists in a vacuum and attacks on them can impact society on a whole. Be it the data of millions of customers being exposed to supply chain attacks like the ransomware one on Kaseya that threaten national security.  

Common compliances 

Below are a few common compliance requirements your company will face, although this is certainly not an exhaustive list. There are numerous regulations and laws companies have to comply with when dealing with types of data, and they can vary by industry sector and region.   

Some well-known ones are included below.   

GDPR (General Data Protection Act)  

GDPR regulates the data protection and privacy of EU member-state citizens, meaning that any company either doing business within the EU or at least collecting and processing the data of an EU resident should adhere to it.  

Notable rules are: 

• Site visitors have to be notified of data the site collects from them and explicitly consent by clicking on an ‘Agree’ button or equivalent. 
• Personally identifiable information (PII) the sites collect should either be rendered anonymised or identity pseudonymised. 
• If there’s a data breach, sites must notify visitors promptly if their personal data is affected. 
• Companies must hire a dedicated data protection officer (DPO) or have an existing staffer to make an assessment of their site’s data security. 
• Information on how to contact the DPO and other relevant staffers has to be readily accessible for visitors. 

Importantly, the regulation applies to sites as long as they are available to European visitors, regardless of where they’re based or whether or not they really market goods and services to EU residents. The GDPR also affects employees of the organisation, such as human resources’ employee records. 

Amazon was fined 886 million dollars this year for breaking the EU's General Data Protection Regulation (GDPR). 

PCI DSS 

The Payment Card Industry (PCI) has developed a set of data security standards called Payment Card Industry Data Security Standard (PCI DSS). Organisation which handles payment card information are subject to these standards, which is unsurprisingly pretty much every company. 

PCI DSS is both for tax company transactions and personal, financial data. It addresses security for: 

• Debit/credit cards. 
• Server's point of sale terminals.  
• Transmission security. 

PCI DSS applies a whole range of security measures, major ones including encryption in motion and at rest. Encryption is a must when it comes to handling sensitive data like credit and debit cards, and any company that handles this sensitive data and doesn’t comply will face severe legal challenges.  

Target was fined 18.5 million dollars after a PCI compliance breach in 2013. 

Sarbanes-Oxley Act 

It goes without saying that attacks can come both externally and internally. Between 2002 and 2009, an administrator at a construction labour unions local office embezzled 42 million dollars from benefits accounts. The lack of security controls meant the malicious actor was handling all the money and reporting without any oversight role to keep her in check. 

Comparatively, fraud by senior executives at Enron and WorldCom in 2002 not only ruined both companies, but also helped cause a worldwide economic crash. 

The Sarbanes-Oxley Act (2002) has implemented wide reforms on company reporting and internal controls, including criminal penalties for company officials responsible for internal corporate fraud. 

Two notable sections of the act for cybersecurity requirements include:  

• Section 302, which requires companies to have internal controls which ensure accurate, timely financial disclosures. The controls have to make sure data is accurate and remains secret until it’s disclosed. Company officials must evaluate these controls when they make a regular report.  
• Section 404, which requires internal controls to protect financial data and ensure proper reporting. As many companies outsource financial activities, they rely on SOC reports to show compliance. 

Sox fines for non-compliance can range in the millions for companies. Officers of the company that knowingly submit an inaccurate report can face criminal penalties of up to 5 million in fines and up to 20 years in prison. 

SOC 

The American Institute of Certified Public Accountants (AICPA) has created a series of reports on system and organisation controls called System and Organization Controls (SOC). SOC reports are generally produced by independent auditors and document a company’s internal security controls. 

They primarily affect service organisations, such as cloud providers, managed security providers, trust companies, credit card processing organizations, etc.  

SOC reports can be broken down into three categories: 

• SOC 1, which focuses on financial controls and is targeted at financial auditors. These aren't usually shared outside a company.  
• SOC 2, which focuses on general cybersecurity controls. This is nearly always a proprietary report and some vendors, like Google Cloud services and Amazon, will grant you access to these if you’re an established customer.  
• SOC 3, which is the publicly released version of SOC2, addresses with sensitive details omitted to protect the company against competitors. 

Companies who delegate financial responsibilities to other vendors need to protect themselves by complying with company and vendor requirements. The main goal of these reports is to make sure systems are set up to protect the availability, processing integrity, confidentiality, the privacy of customer data and overall security of said systems. 

SOC 2 has a number of notable requirements for cybersecurity compliance, addressing these controls: 

• Logical and physical access controls, which is about how you prevent unauthorised access by restricting and managing logical and physical access. 
• System operations, which concerns the way you manage your system operations in order to detect and mitigate deviations from set procedures. 
• Change management, which is the way you implement a controlled change management process and how you stop unauthorised changes. 
• Risk mitigation, which is about the way you identify and develop risk mitigation processes when dealing with business disruptions as well as vendors. 

Additional criteria includes companies monitoring their accounts at vendors, reconciling data against the transactions, ensuring transactions were all completed and that payments are legitimate. 

Gramm Leach Bliley Act (GLBA)  

GLBA’s privacy rule requires financial institutions to protect the confidentiality and security of customer data. It enables customers certain rights and controls over their information, including being able to opt out if they don't want their data to be shared with certain third parties. 

Under the privacy rule of GLBA, any company that provides financial advice, arranges financing or extends credit has to notify customers with what information they collect and who they share it with. While the safeguard rule says that financial institutions have to protect any customer information they’ve collected.  

Compliances for companies include: 

• Having one or more employees coordinating its information security program. 
• Identifying and assessing risks to customer data in all company operations and evaluating how effective current safeguards are in controlling risks. 
• Designing and putting in place a safeguarding program, regularly monitoring and testing it. 
• Selecting vendors that had appropriate security in place and establish a contract requiring them to maintain safeguards and oversee how they handle customer data. 
• Evaluating and adjusting the program when required, such as due to results of security testing and monitoring or operational changes. 

Under GLBA, penalties for non-compliance can have fines up to 100,000 dollars per violation, with fines of up to 10,000 dollars for company officers and directors. There’s also revoking of licences and criminal penalties for up to five years in prison.  

How do you safeguard your company? 

In order to comply with regulations, companies should hire accredited security professionals to decode relevant requirements and create implementation plans.  

Many cybersecurity professionals have credentials like HISP (Holistic Information Security Practitioner), showing they have the required knowledge of what system controls are needed to reach compliance for a multitude of sectors. 

However, it’s important to note that compliance is not the fix-all of cybersecurity. With a constantly evolving threat landscape and new threats emerging every day, technology ages and compliance can become outpaced. This is why it’s important for companies not only to meet the minimum that is compliance, but surpass it, be aware and embrace the latest technology in order to protect their company. 

In cybersecurity, compliance and awareness are key. 

Securiwiser 

Securiwiser is a cybersecurity threat detection monitoring tool. Securiwiser greatly assists in helping your company meet its compliances by providing you a way to monitor your network and cloud in real-time, flagging up vulnerabilities, indicators and data exposure in real-time, 24-hour-7.  

Securiwiser allows you to monitor the cybersecurity posture of both your company and your vendors, see avoidable security misconfigurations in your cloud and network exposing sensitive data, be aware of suspicious port activity as well as giving the latest recommendations on how to solve security issues.