Future-proof IT

Regulatory compliance considerations for cybersecurity management

Jun 22, 2021
Cybersecurity and data privacy go hand-in-hand

When it comes to cybersecurity, consumer data protection has become a bellwether for changes in strategy, governance, and oversight.  In recent years, acronyms have been tossed around in spades: GDPR, LGPD, PIPEDA, and CCPA, for starters. Each new regulation has its own requirements and applicability depending on where and how data is processed, transferred, shared, or stored right down to physical borders between nations.

But where does the ownership for privacy regulation compliance lie? Many argue that the tasks belong to marketers or system administrators who have oversight of CRM, ATS, or ERP platforms. These professionals are savvy with opt-ins or disclosures rules, but can struggle with data governance best practices and security protocols that go beyond a login password---the very things that help implement and enforce privacy data standards. 

Cybersecurity is about much more than securing a network, monitoring threats, or identifying vulnerabilities. Consider exactly what you are protecting: intellectual property, trade secrets, and employee and customer data. And the loss, damage, or disclosure of this information can have dire consequences at a regulatory level, too.

The true cost of a data breach

In many ways, the financial impact of a successful cyberattack or data breach is incalculable. It can be hard to put a number on the damage that can be done to a brand’s reputation given the blast radius impacts stakeholders, partners, employees, and customers.

Careers have been compromised right along with Social Security Numbers. For example, the Equifax data breach in 2017 cost then-CEO Rick Smith his job and a new CISO was brought in to right the ship. As far as hard costs go, the numbers are disheartening. Data breaches cost an average of $8.64 million each in 2020, and in 80% of cases, the data compromised was customer personally identifiable information (PII).

Now factor in the equally costly ramifications of non-compliance with data protection regulations. The General Data Protection Regulation (GDPR) in the European Union assesses fines up to €10 million for what they term lesser infractions and up to €20 million or 4% of annual global turnover – whichever is greater – for infringements. And that’s just the GDPR.

5 ways CIOs need to step up to aid compliance

CIOs must protect against security threats and the data privacy regulation nightmares that can ensue from a successful breach by leveraging IT security and broader infrastructure solutions and drive policy and process. They can incorporate compliance considerations into a comprehensive vulnerability management plan. While regulations vary just as much as company EULAs and Terms of Use statements, the following can serve as a baseline for consideration.

1. Review your network

Conduct an audit of what applications and services are in use. Then proactively test and look inside your systems noting any suspicious behavior and paths that adversaries can potentially use to find a hole. With hybrid and remote work here to stay, companies are open to greater risk than ever before. DDoS attacks, for instance, are expected to exceed 15.4 million by 2023. 

Evaluating endpoint risks also includes end-user devices. At the height of the pandemic, 56% of people used their personal computers to work remotely, creating gaps with less centralized security protections. Not to mention, fluctuating IP addresses and spotty WiFi connections on home networks can create lag or blind spots for processes such as antivirus monitoring. Distributing corporate devices with locked-down administrative access may be worth considering despite related hardware and logistics costs.

2. Understand your assets

IT teams need to be acutely aware of what they are charged with protecting. And we mean more than just PII. Different requirements may apply to the management and security of health information (HIPAA) or the data of minors (COPPA) for example.

In the case of GDPR (a main driver of the cybersecurity scramble), companies must demonstrate that they are striving to protect customer data against access, loss, and damage. This applies to both internal and external threats. Compliance here can range from de-identifying EU personal data to moving data centers to Europe.

3. Know your cloud footprint

Do you really know every technology asset used by your teams? Cloud platforms that require zero installation can stretch the limits of IT security as different departments acquire different tools to get their jobs done.

Conduct a complete cloud platform audit with every department: what you find might surprise you. It might also directly affect your company’s compliance and security. Where is the data for each of these new cloud programs stored, who has access, and what security is native to those platforms? Catalog your cloud usage and then get to work safeguarding resources or eliminating security gaps you didn’t even know about.

4. Test your protocols

With full risk assessment comes regular testing that scores just how effective cybersecurity protocols are against known threats. Third-party penetration testing is one approach. Internal teams should continuously review the strength of the existing perimeter defense and evaluate access levels for different user segments once they pass through the initial security perimeter.

5. Document your policies

It’s one thing to monitor and follow external regulations. It’s a completely different experience to create your own data policies based on how compliance factors into your existing framework. As you build out or make changes to your cybersecurity policies, document everything from risk reporting to standards and ongoing mitigation.

It’s also important to communicate your policies to staff. At the onset of the pandemic, 20% of employees claimed that IT did not share any security tips with the WFH move. Provide clear and concise instructions for teams so they understand exactly what they should (or shouldn’t) be doing with data, access, and devices.

In the end, trust nothing and no one

There’s very nearly no such thing as too much security when it comes to PII. Taking a zero trust approach to cybersecurity can help fast track you toward better regulatory compliance. In this mindset, anything can be a potential threat, and everything and everyone with access must be granted such with the minimal amount possible. Many organizations are adopting zero trust as they acknowledge that traditional means of ensuring perimeter-based network security protection are no longer viable due to complexity as more data and workflows are moved to the cloud and as workers continue to work remotely. 

What to read next

Doctolib and the cloudy view of personal data​: Establishing compatibility between GDPR and US surveillance laws

Cybersecurity, governance, and the implications of oversight: How your board of directors could be at risk


Disclaimer: This article has been created by Zscaler for informational purposes only and may not be relied upon as legal advice. We encourage you to consult with your own legal advisor with respect to how the contents of this document may apply specifically to your organization, including your unique obligations under applicable law and regulations. ZSCALER MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT AND IT IS PROVIDED “AS-IS”.  Information and views expressed in this document, including URL and other internet website references, may change without notice.