By Michael Greco and Matt Oldham of Omnistruct
When it comes to cybersecurity compliance, proactive is far better than reactive. With the myriad of cyber threats businesses face daily, you can’t afford to be complacent. Finding and implementing a security framework that works for your business is crucial. Making one-off security changes when forced to is a Frankenstein approach taking unnecessary time,energy, money and leaving your company vulnerable.
Where do you start? You will need to find a framework that is an appropriate fit for your company and your industry. You should also know where your company plans to be in 5 years so you can be forward-thinking. Utilizing a framework allows your company to approach cybersecurity from a holistic risk management perspective. It also leads to better, risk-informed decision-making around your cybersecurity efforts.
Key Things to Consider
There are some key things to consider when evaluating which compliance standards apply to your company and what framework to utilize.
- What are the security requirements from your vendors, current customers, and future customers?
- What types of sensitive information does your company house or have access to?
- What types of fees or other financial consequences could result from non-compliance?
This blog will focus on security requirements, including growing trends, industry-specific requirements, and being proactive when there are no requirements. We will address sensitive information and financial consequences for non-compliance in separate blogs.
Growing Trends
More and more companies require that their vendors meet specific security standards to do business with them. In sectors such as energy and healthcare, this has been standard practice. However, it is becoming more common regardless of your industry.
Data breaches have no respect for businesses and occur across all sectors. As such, cyber risk needs to be addressed regardless of the type of business. Often, the weakest link in the chain is with a vendor or third-party organization, and security questionnaires are a simple way for companies to reduce that risk.
A chain reaction effect occurs when a large company requires that its vendors meet specific security standards. Some or all of those vendors will likely push the same security requirements down to their vendors. This trickle-down is one reason why small businesses are asked to answer security questionnaires more and more frequently. This also means your business will eventually be the recipient of a cybersecurity questionnaire if you’re not already.
Vendor Questionnaires and Industry-Specific Security Requirements
The cybersecurity compliance standards and frameworks called out in security questionnaires will be dependent on the types of customers you have or the industries your company is targeting. Let’s address some of the most common examples:
Healthcare Industry
The healthcare industry mandates compliance with HIPAA privacy and security requirements. Along with this is the security framework that aligns with HIPAA, known as HITECH. This is the key question asked, “Is your company looking to be a ‘Business Associate’ as defined by HIPAA?” A Business Associate is an organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity (healthcare provider).
SaaS Companies
Software as a Service (SaaS) companies that handle sensitive customer data in their application will likely see SOC 2 security requirements on their vendor questionnaires. Achieving SOC 2 compliance requires a formal audit and certification process. Navigating the process to become SOC 2 compliant generally takes six months to a year to complete.
Utility Companies (Energy/Power/Water)
If your business is targeting agencies that are part of these critical infrastructure fields, expect to see security requirements that include:
- NERC CIP: The North American Electric Reliability Corporation (NERC) has its Critical Infrastructure Protection (CIP) security standards.
- FERC: The Federal Energy Regulatory Commission (FERC) also requires that businesses meet certain security standards.
Federal Government Agencies
If you are looking to contract with a federal government agency, expect to see FedRAMP compliance requirements, or CMMC compliance requirements.
- FedRAMP is based on a NIST framework (National Institute of Standards and Technology). Compliance also requires a formal audit and certification process. Navigating the process to become FedRAMP compliant will take one to two years to achieve.
- CMMC stands for Cybersecurity Maturity Model Certification. It is also based on a NIST framework. The level of compliance required is determined by the level of access your company will have to government data.
UK/European or International Based Companies
If the customers you are targeting have an international presence, you may have requirements for ISO 27001 compliance. ISO 27001 is a framework developed in the UK. It has been a common security framework in Europe and has become a commonly adopted security standard in the US.
There are more industry-specific cybersecurity frameworks that your business may have to comply with. But, these are some of the most common examples that companies need to be aware of.
Being Proactive When There Are No Specific Requirements
What if your company is not being asked to follow any specific framework or compliance standard for security? You can still be proactive in protecting your data. NIST has developed the Cybersecurity Framework (NIST CSF) as a guideline for both public and private sectors in the US. It is not a required framework yet. Rather, it is recommended for companies looking to improve their overall security posture and cyber risk management. NIST CSF maps to many compliance standards and frameworks, essentially killing two or more birds with one stone. In the absence of other compliance requirements, we highly recommend implementing NIST CSF.
Where Do You Begin?
To begin the process of finding the best cybersecurity framework for your business, you need to define your ideal customers and target industries. Consider what you can do now to implement a framework to prepare for security requirements and remove potential obstacles to company growth.
Even if you don’t expect specific compliance requirements, are you prepared to respond to security questionnaires from your existing and potential customers? Can you prove that your company has a good security posture? If the answer is no to either of these questions, implementing a security framework will allow you to have clearly defined best practices and prove your security posture to inquiring parties.
Implementing a cybersecurity framework and maturing your business will prepare you for the inevitable questionnaire that holds up a large deal. Partnering with FUSE3 and Omnistruct helps to shorten the implementation and management of a cybersecurity program to give your customers confidence in your handling of their data.
Don’t Risk a Breach or Your Business’s Reputation
Today’s chances of a cyberattack are 1 in 4. One breach could put you out of business — or at the very least, ruin your reputation. Want to go on autopilot with your cybersecurity compliance? Team up with FUSE3 and Omnistruct. Together, we will focus on your cyber hygiene, so you can focus on growing your business.
About Matt Oldham
Matt is the Senior Sales Engineer at Omnistruct. With over six years of experience in the cybersecurity and compliance industry, he is the touchpoint between the sales and operations teams, ensuring that the proposed services are the right fit for the client. Matt is also a musician and enjoys cooking as a hobby. He spent over ten years living in the Pacific Northwest before returning to his native stomping grounds in the Sacramento area. Learn more about Omnistruct’s Services.