Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/21/2020
10:00 AM
Baan Alsinawi
Baan Alsinawi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Need for Compliance in a Post-COVID-19 World

With the current upheaval, business leaders may lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. That's a big mistake.

 It's clear that COVID-19 is changing the way people interact and work. But after the coronavirus subsides and life begins to return to normal, what will this "normal" look like?

Work as we know it will be changed forever. For example, employees once required to come into the office every day will embrace the convenience and freedom as well as personal time gained from teleworking. Businesses will have to re-examine current working conditions, such as the necessity of daily commutes, cramped cubicles, and rigid office hours, and more.

But cyberthreats will not change — and are likely to increase. Even before the pandemic, security experts estimated that cybercrime could cost the world trillions annually.  . Businesses of all sizes are targeted, with three out of five firms reporting an attack in 2019, according to the 2019 Hiscock Cyber Readiness Report. Though large companies are the most likely to be victims of cyberattacks, 47% of small companies reported an incident, and 63% of midsize companies reported attacks, the report found.

US and UK cybersecurity officials warn that state-backed hackers and online criminals are taking advantage of people's anxiety over COVID-19 to lure them into clicking on links and downloading attachments in phishing emails that contain malware or ransomware. Corporate networks could also be vulnerable to attacks if companies do not invest in providing their employees secure company laptops and set up virtual private networks (VPNs) or zero-trust access solutions.

With all of this upheaval, business leaders need to keep their guard up. It's easy to lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. But this would be a big mistake. Regulatory requirements are designed to ensure that organizations establish a solid cybersecurity program — and then monitor and update it on an ongoing basis. It's critical that organizations continue to stay compliant with applicable security standards and guidelines, especially those concerning policies and procedures, business continuity planning, and remote workers.

Compliance is best when it's continuously monitored, and it should be part of an overall risk management strategy. Here are common compliance questions I receive from C-suite clients and how I answer them.

1. What does compliance even mean?
Compliance is adhering to established rules and regulations, codes of conduct, laws, or organizational standards of conduct. In the context of cybersecurity, this means following guidelines established to protect the security and privacy of an organization's information system or enterprise.

2. To which regulations and organizational standards of conduct should I adhere?
Many public, private and nonprofit organizations follow the National Institute of Standards and Technology (NIST) requirements as a solid baseline for privacy and security. These standards emphasize the need to comply with and implement critical security measures, including access, awareness and training, configuration management, security assessment and authorization, contingency planning, incident response, identification and authentication, planning, personnel security, and system and information integrity. 

3. How do I know which requirements I should be compliant with?
Understanding that not all risks, missions, organizations, and agencies require the same level of protection, compliance requirements provide room for customization, so agencies and organizations can select the controls most appropriate to meet their goals and/or industry standards.  

A risk management framework addresses risk at the organization level, mission/business process level, and information system level. Start with a security categorization process based on determining the potential adverse impact for organizational information systems. The results of your organization's security categorization can help guide and inform you in selecting the appropriate security frameworks (i.e., safeguards and countermeasures) to adequately protect your information systems.

4. Are there any specific regulations that address remote work?
This March, NIST released a draft revision of NIST 800-124, Rev 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise.

NIST also developed NIST 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.

Both these NIST guidelines are mapped to applicable NIST SP 800-53 security controls and Cybersecurity Framework Version 1.1 functions, categories, and subcategories so you can check your compliance with these controls and update them as necessary.

5.  What are my risks if I do not remain compliant?
If you allow your organization's security measures to slip, you can become vulnerable to hackers and bad actors who are experts at finding and exploiting these weaknesses. There's a saying among cybersecurity experts: Organizations have to be right every time; hackers only have to be right one time.

6. What other considerations should I factor in when developing an appropriate risk management strategy?
It's important to consider the appropriate governance, risk, and compliance strategy and tie it to your organization's desired business outcomes so you can operate without interruption, regardless of the disruption.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Baan Alsinawi is the Founder and Managing Director of TalaTek, LLC. Ms Alsinawi's vision for TalaTek was the need for an integrated platform that could both control security and minimize risk, and which could be implemented to ensure compliance by agencies and organizations. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13890
PUBLISHED: 2020-06-06
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
CVE-2020-13889
PUBLISHED: 2020-06-06
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.