What happens if organizations don’t meet compliance requirements?
When building an application or website, organizations are responsible for the Security Compliances information being gathered, and how it will be used. This is fundamentally the story about how 87 million records gathered from Facebook were able to swing the US elections in 2016. Cambridge Analytica gathered personally identifiable information from Facebook to create user segmentations and target users with highly segmented campaign messages. While election campaigns usually have a consistent platform of messages, this approach allowed multiple different messages to be sent to voters based on what would influence them.
The consequences related to misuse of data are serious and far reaching, and have caused industry regulation and government legislation step up. The multiple regulations and compliances can be complex, but today, enterprises have to pay a heavy price for non-compliance. They could lose customer confidence by a damaged reputation, experience disruption in business activities, productivity losses or even revenue losses. That aside, non-compliance can attract huge fines, penalties and settlement costs that can completely dismantle the company. For instance, violation of GDPR can result in a fine of up to 20 million euros, or up to 4 % of the total global turnover of the preceding fiscal year, whichever is higher.
A plethora of regulatory security compliances – choose the appropriate framework based on business operations and risks
Regulatory compliances vary between countries and geographies, and each industry has specific licenses and regulations to meet as well. Some regulations are relevant to service-based industries, others for SaaS cloud services, while regulations for industries like the healthcare or banking may be location dependent. Security teams must determine the appropriate framework for data and cyber security based on their operations, and the related risks.
Some of the regulatory compliances are:
- ISO27001 details best practices for information security management systems (ISMS), and is widely used across the globe. It details the processes for management of security of assets including financial information, intellectual property, employee details or information entrusted by third parties.
- HIPAA (Health Insurance Portability and Accountability Act), an IT compliance standard was created specifically for the healthcare industry.
- GDPR (General Data Protection Regulation) is a regulation that protects the security and privacy of data belonging to the citizens of European Union.
- PCI-DSS was mainly created for financial services such as the BFSI industry. Payment processors and other financial service providers must comply with the Payment Card Industry Data Security Standard (PCI-DSS) to prevent credit card fraud, phishing and ensure financial data protection.
- SOC 1 and SOC 2 are auditing procedure that entails security measures, deployed by an organization to protect customer data. Created specifically for SaaS solution providers, these frameworks are built on security, availability, processing, integrity, confidentiality and privacy.
Common elements across compliances simplify the regulatory requirements
ISO 27001 is one of the universal and a globally recognised standards across industries relating to information security management. This certification means that the organization is aware of data compliances and maintain their systems and data in line with these regulations, and that they have a plan to mitigate risks and respond when any attack takes place. It also mandates a set of actions in case of data breaches, requiring organizations to inform regulatory bodies, impacted customers and users about data breaches, so that they can take necessary actions to protect their data. They also need to have a mitigation plan taking responsibility to address the reason for the breach. Having an ISO27001 gives clients a sense of trust in the organization’s maturity of processes and diligence in information security.
While ISO27001 is a universal set of standards, other regulations are either industry specific or country or region specific. HIPAA for example is pertinent to healthcare in the USA and GDPR relates to Europe. DPA is the Data Protection Act of UK, but if a company is compliant with ISO270001, and GDPR compliant, the company meets almost all the requirements for DPA. The financial industry in Australia has specific compliance requirements for banking and finance organizations. They have similarities in compliance requirements with PCI-DSS of USA, with slight modifications.
Looking into the checklist of security requirements among most regulatory compliances, there are several common elements. All of them deal with two aspects – how enterprises process information, and how they react to incidents when they happen. These checklists include aspects such as technical protections, physical protections, administrative protections, and to-do lists of best practices to ensure ongoing data protection and actions in case of breaches. However, each compliance enforces responsibility to the government body or industry body that are accountable. For example, technical protections and encryptions are recommended under ISO27001, but there may be specific encryptions recommended under HIPAA or GDPR. Similarly in case of a data breach, all compliances recommend that the company notify the people impacted, but there are specific requirements to notify regulatory bodies or timelines involved based on the specific laws of the country, region or industry.
Security compliance – an opportunity for enterprises
Today all industries have some level of regulatory security compliances. Rather than worrying about the complexity involved and pursuing a checklist, organizations must see this as an opportunity for better business processes, responsible decisions and a way to earn customer trust. While the initial cost of setting up compliance processes within an organization may seem daunting, the cost of non-compliance is worse. Regulatory compliances exist in the interest of grater good, to protect individuals and the welfare of industry. This is an opportunity for enterprises to better their business practices, and refine their processes.
A CISO (Chief Information Security Officer) has become a mandatory part of every leadership team, no matter how large or small the company is. In addition, a best practice in security processes is to partner with a third party external expert to have an external view that is critical for companies that may have blind spots or threats from their internal teams. With markets becoming global, and the geographical and industry lines blurring, regulatory compliances are complex and change frequently. An external expert can help advise on the latest in cyber and data security compliances, which may not be the core focus of an enterprise.
Cyber security is one of the top ten global risks that are most likely to occur, according to the Global Risk Report 2021, produced by the World Economic Forum, and governments and industry regulatory bodies have woken up to this. Awareness is high among customers and users as well, making the need for a strong cyber security program a must for every enterprise.