The headlines paint a bleak picture. It doesn’t matter where you are. It doesn’t matter who you are. It doesn’t matter what business you are in. You are going to get hit by a cyber attack. The threat actors come in all shapes and sizes: Nation states, sophisticated criminal organizations, terrorists, activists, and an occasional bored teenager. The reality is that you are going to get hit – it’s not a matter of if, but when. But so what?
Out for destruction, not ransom
Although the headlines are filled with multimillion-dollar settlements and tens of millions of records lost, the reality is often quite different. Nation state attacks, such as the recent NotPetya, are usually intent on destruction, not necessarily money. Criminal gangs have a developed business model that fleeces many victims for small amounts. The fact that cyber thieves only inflict relatively limited damage does not mean that firms are off the hook. There are entities far more powerful and threatening, who can and will take hundreds of millions without blinking an eye, without even breaching your security. Who are these perpetrators? Regulators.
Regulators impose heavy fines
The EU’s new General Data Protection Regulation (GDPR) has not come into effect yet, so we don’t know exactly what sort of fines the enforcement authorities will levy, but we have an idea. Penalties can go up to 4% of global revenue or €20,000,000.
A recent Italian case gives us an indication that the regulators mean business. The Italian Data Protection Authority (‘Garante’) wacked a British firm for €5,880,000 (US$6.6 million). There wasn’t even a breach – it was for a violation of privacy laws.
The New York Department of Financial Services (NYDFS) recently enacted a new cybersecurity regulation. (Cybersecurity Requirements for Financial Services Companies, or 23 NYCRR 500). There are no penalties yet, but the NYDFS has in the past handed out numerous fines in the hundreds of millions.
Health care providers in the United States are subject to the HIPAA and HITECH regulations. The agency charged with enforcement, the Office for Civil Rights (OCR) of the Department of Health and Human Services, handed out more and larger fines in 2016 than in the previous five years combined. The cause? Loss of unencrypted mobile devices and laptops.
How to protect your organization
So, how do you protect your firm? The latest SIEM? Next generation firewall? Endpoint security? These will help stop a breach, but they won’t stop a regulator. What you need to do is get with the program. To avoid a massive fine, you have to prove to the regulator that you have a robust program. It doesn’t matter if you need to comply with 23 NYCRR 500, the GDPR, or HIPAA, .
We can help you implement this program. That’s what we do.
ISO 27001 provides demonstrable proof that you’ve taken the necessary measures to protect your organization from a data breach.
By implementing an ISMS conformant with ISO 27001, you can meet regulatory pressures and build resilience against a cyber attack
Implement a proven solution trusted by over 30,000 companies globally.
ISO 27001 provides the basis for managing data security using an integrated set of policies, procedures, and technology, tied together into an ISMS (information security management system). Independently audited certification means companies can demonstrate compliance with these laws and provide the necessary assurance to stakeholders and clients.