Compliance is a Team Project

Compliance is a Team Project

With all the rules and regulations surrounding the compliance alphabet soup in play today, it will take more than one person to bring your company in line. We’ve laid out the multiple roles needed to up your compliance game, especially when it comes to HIPAA, PCI, and GDPR.

IT Team

Your first line of defense against compliance failures is the technology in use and the team you have to maintain it. Consult with your IT team to discuss:

  • Email Encryption: How are emails and files that go in and out of your office protected to avoid nefarious hands and revealing identifying information?

  • Data Encryption: How do you collect and retain credit card information? Are there any gaps where that information could be stored or released in an identifiable way?

  • Firewall: Are you protecting your company data and communications using a screen door that is easily opened by hackers, or are you using a multi-level security system preventing intrusions?

  • Backups: How often, when and where is your precious company information backed up? Can you test your backups to prove that they’re effective? Is your current backup plan compliant with regards to customer data?

  • Data Availability and Storage: Who has access to your data? Only certain individuals in your company should be able to access all data, like financial records or payment information. How are you restricting access on your network or within line of business applications to ensure safety?

  • Physical Access: Who can actually access computer systems and servers? Do you train your staff to lock their systems every time they leave their desks? Are you using privacy filters on appropriate screens to avoid wandering eyes?

Internal Compliance Officer

While this may not need to be a full-time role within your organization, you should have a compliance champion on staff. Your IT company can absolutely set you up for success, but they are not around to police your staff every hour of the workday.  

The Compliance Officer is responsible for ensuring that your staff follows important compliance policies, maintains vigilance surrounding compliance, keeps documentation up to date, and works with authorities if necessary. Specifically, they:

  • Watch for employees falling into bad habits, like leaving computers unlocked or sending credit card data willy-nilly throughout the organization.

  • Conduct/coordinate online or in-person training to keep compliance top of mind. We recommend quarterly training, at least, in addition to proper education as soon as a new employee comes on board.

  • Maintain all the documentation required for compliance, like backup plans and communication standards.

  • Liaison with federal and state regulators, as necessary to prevent or mitigate an issue (with the support of your IT Team and legal team).   

All Employees

You can have the best technology, the most intense compliance officer, and still completely fail at successful compliance if your employees are not onboard. At the end of the day, it comes down to successful employee implementation and clear communication. In order to get employee buy-in, here is what we recommend:

  • Gather everyone together: When you first make tweaks to your company’s security protocols to ensure compliance, explain why to your team. If they suddenly all need to remember 16-character passwords, replace those passwords every 90 days and have 5-minute time outs on their systems; they’d appreciate learning it’s not because you’re paranoid.  You can utilize your IT Team to conduct this meeting.

  • Send regular reminders: It’s simple to fall into what’s “easier” rather than compliant. Consider sending a weekly or monthly compliance tip to all of your staff to keep it top of mind. 

  • Conduct ongoing trainings: These trainings should be mandatory, involve your IT team, and vary enough to stay interesting. Quarterly should be sufficient unless some regulation change calls for additional meetings.

  • Multi-departmental planning: Different teams have different uses for data. For example, what makes the salesperson tick may make it impossible for accounting to operate within compliance. When it comes to collecting information that must be compliant, every department must be involved in process development to create smooth operation within rules and regulations.

Compliance is not a one-man game. It involves the whole company and IT team engagement to really be successful. Next blog, we’ll cover the processes necessary to build a compliance-friendly environment.

GDPR- Should you care?

GDPR- Should you care?

In 2018, the European Union enacted a new directive to protect its citizens from having their personal information stolen or sold known as GDPR or General Data Protection Regulation. This legislation protects EU citizens, but in reality, it is a global law at this point. Any businesses in the world that mishandle the personal information of an EU citizen, including something as simple as improperly tracking a cookie on your website, could be fined for non-compliance. Those fines are not cheap. A company failing to comply with the regulation could be subject to a 4 percent forfeiture of its annual revenue. In its first year, there were 95,000 complaints from Data Protection Authorities all over the EU. It’s here to stay, so should you care? 

 

Of the 95,000 complaints received, telemarketing, promotional e-mails, and video surveillance were the top culprits. So far, three fines were issued by DPAs for GDPR violations. The largest fine issued was in the sum of €50,000,000 for lack of consent to processing personal data. Compliance is no joke and it can be tricky to implement. 50% of all businesses still have not migrated into the world of GDPR compliance, though they know it could end in litigation. This carries over for American companies that either employ EU citizens or service them. Even though your business is in the states, you can still get fined from across the pond.  

 

The main idea behind GDPR is protecting citizens and consumer rights. Not only are businesses held responsible for storing people’s information, but they are also held accountable if any misuse occurs to that information. If data is hacked, that business is obligated to report it within 72 hours of the breach and give a detailed account of the data that was stolen. In addition, under GDPR, citizens can request to have their information taken out of data storage, and a business must comply.  

 

Currently, social media networks and automated email services are the heaviest hit by GDPR. Facebook has seen a steady decline in European consumers. Also, it has cracked down on how people can use FB ads when targeting certain audiences. Email marketing has seen an increase of opt-outs and tighter spam regulations, changing the marketing game for many companies.  

 

In order to become compliant with GDPR, you will need to first appoint someone as your DPO, or data protection officer. This person will be the point of contact and GDPR expert. They’ll need to be able to handle IT services as well as monitor all the data handling processes in your company. Then, of course, they’ll need to be able to consistently monitor any area that may be impacted by GDPR and ensure they’re within compliance. It is highly recommended that the DPO goes through thorough training on the subject so they know exactly what to look for when it comes to staying compliant. 

 

GDPR is great at protecting citizens, and most professionals believe it’s only a matter of time before the United States adopts similar regulations. It’s always better to be prepared, so perhaps it’s time to look into GDPR compliance. 

Ransomware: Why It’s Getting Publicity and What to Do About It

Ransomware: Why It’s Getting Publicity and What to Do About It

Even though ransomware attacks decreased in 2018, they remain a major threat in the cybersecurity landscape. So much so, that ransomware was recently featured on 60 Minutes. The story primarily covers three major instances of ransomware, two that affected municipalities, and a third that targeted a hospital. 

All three were attacked in a way that encrypted every single one of their files and also encrypted some of the files within their backups, sending the organizations back to operating on pen and paper. Two, despite FBI recommendations, ended up paying the ransom to restore their data quickly, while the third decided not to pay the ransom and went about remediation on their own.  

The hospital was hit with a $55,000 bill, while one municipality (Leeds, AL) was able to negotiate payment down to $8,000. These ransom sums may not appear astronomically high, but that’s exactly how the hackers keep going. If they requested millions in ransom, no one would pay. An amount in the solid five-figures, though, feels doable for most organizations to get their precious data restored. The third entity (Atlanta, GA) suffered millions of dollars in losses and time in efforts to recover. Some of their data could never be recovered. 

The story presented a very clear picture of the dangers surrounding ransomware; however, there were two major issues in the story. First, the entities covered were obviously major entities implying that you needed to be in the public eye to be affected. This is certainly not the case. In fact, nearly 50% of small business owners say their business was affected by a cybersecurity attack in the last year. Ransomware is not just for highly public entities.  

Perhaps more importantly, the story painted paying the ransom as the cheaper and often faster way to go. In very rare occasions, paying the ransom is the only option; but if you’re stuck in a ransomware trap, we do not recommend jumping straight into paying the ransom. Here’s why: 

  1. Sure, after you pay the sum (typically in bitcoin), the vast majority of hackers suddenly become ethical and return your files. Let’s look at the reality, though. You’re relying on someone who just took your data hostage for an exorbitant fee to return that data to working order simply because you held up your end of the unwanted bargain. Sounds a lot like using hope as a data recovery strategy to us. At any point the hacker could respond, “Thanks, but no thanks!” or “Well, we thought this would be a sufficient amount”; but we ran into snags with your recovery. We’ll actually need x number to finish the job.”  

  2. Prevention is a better strategy. If your back-up is set up correctly with an on-premises and multi-tenant off-site solution, you should be able to roll back to data that existed before the ransomware attack. Granted, you may lose some data in the process if the encryption gets into the backup like it did in the attacks covered in the 60 Minutes story. Losing some data is a lot better than putting yourselves up the creek financially by paying a major ransom. In addition to proper backup, ensure that you’re effectively training employees and stringently monitoring data coming in and out of your network.  

  3. Isolation is possible. In short, don’t store all of your valuable data in one place. If, on the off-chance, ransomware breaches your network, you don’t want to give it an open door to encrypt absolutely everything of value. Keep all critical applications on isolated networks to maintain global network safety.  

Ransomware attacks may be on the decline. However, that just invites the hackers to come up with a more creative way to scam you out of time and money. Perhaps phone ransoms are coming next. Regardless of what the hackers create, make sure you’re prepared and don’t have to rely on paying a hefty ransom to keep your business in operation.