Keeping your business current with evolving IT compliance requirements

If you manage IT operations and / or cybersecurity for a company, there’s a good chance you have to worry about one or more sets of compliance regulations. That’s especially true if you work in traditionally regulated industries like health care, where longstanding laws like the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. require you to protect the sensitive information of your patients. Selling products or services to consumers will likely put you under the scrutiny of compliance regimes like the European Union’s General Data Protection Regulation (GDPR), which requires you to take extensive steps to protect consumers’ private data.

The job of maintaining compliance to avoid financial penalties, reputational harm and other sanctions is getting tougher as governments and industry authorities update their regulations to address evolving IT and cybersecurity challenges. For example, the EU is in the process of introducing Version 2 of its Directive on Security of Network and Information Systems, better known as NIS 2.

This update, for which EU member states must finalize their local regulations by October 2024, will require businesses to implement new measures to improve their cyberdefenses and to recover more quickly and effectively when cyberattacks succeed. Likewise, HIPAA is getting a long-promised set of updates this year that will require health care providers to better enable patients to access and control personal health care data. Similar updates are scheduled to regulations in many industries and countries around the world.

These regulatory updates are driven by several major trends:

Cybercrime has evolved into a much more efficient industry that generated 270,000 new iterations of malware every day in 2023. Cybercriminals now operate at the same scale as Global 2000 SaaS companies, mimicking their distribution and software development techniques to attack a much broader range of targets with increasingly sophisticated attacks.

Both malware creators and the army of low-skilled criminals that serve as their distributors are now taking advantage of automation and generative AI tools like ChatGPT to scale up and improve the effectiveness of their operations. GenAI tools in particular have helped make phishing emails more urgent and convincing, with perfect grammar and spelling in dozens of languages. Deepfake audio and video are increasingly being used to steal tens of millions of dollars in impersonation attacks.

• The growing use of cloud applications and storage, internet of things (IoT) devices and the complex interconnections of global supply chains is presenting new attack surfaces for cybercriminals to exploit.

• Advanced persistent attacks, once the province of nation-state espionage organizations, have migrated into the cybercrime sector, where their use of stealth, persistence, privilege escalation, lateral movement and other sophisticated techniques is driven purely by profit.

These factors have contributed to a global cybercrime pandemic that is projected to cost the world more than $23 trillion by 2027, up from $8.4 trillion in 2022. So, it is hardly surprising that compliance authorities are updating regulations to meet the fast-changing threat environment. The example of the EU’s NIS 2 is typical of this evolution, as reflected by the following changes to its original 2016 version:

Its scope has been expanded from critical infrastructure sectors like power and water to include other industries like manufacturing and food production. It also includes many smaller companies than previously: you must now comply if you have a few as 50 employees or at least €10 million in annual revenue. Thus, many companies that didn’t have to worry about NIS 1.0 will now have to meet NIS 2.0 compliance standards.

Businesses are expected to develop more formalized programs to identify, assess and mitigate cyber risk, and must identify key executives to own those programs, including taking legal and financial accountability for them if they fail. Regular security awareness training for all employees is now required.

Companies are expected to develop, document and regularly test incident response plans with clear procedures for escalating, containing, and recovering from cyber incidents. The related disciplines of business continuity planning and disaster recovery planning are also identified as requirements.

Compliance authorities are becoming much more explicit and specific about the technologies they expect businesses to implement, including access controls with least-privilege policies and multi-factor authentication; data encryption both in transit and at rest; and better monitoring for suspicious activities, breaches and anomalies.

Supply chain security comes under scrutiny for the first time. Businesses are expected to assess and manage the cyber risk originating from their tech vendors, service providers and software development practices.

The regulation also requires businesses to regularly conduct security audits and gap analyses, including vulnerability assessments and penetration testing to test their cyber defenses.

Finally, businesses are subject to new, stricter requirements on reporting of suspected and actual incidents to government authorities, and are encouraged to participate in information sharing platforms to exchange information on threats, vulnerabilities and best practices with other organizations.

This is just one example, but compliance authorities around the world are making similar changes to their regulations. How can businesses, especially smaller ones with more limited cybersecurity resources, hope to keep up? Here are seven best practices to follow:

1.       Don’t wait until the new versions of the regulations are live to get going

It may take your business months to implement the technologies, develop the policies, and add the people skills you need to achieve full compliance. Smaller companies may have slightly more leeway than their enterprise counterparts, as compliance authorities tend to target well-known global brands with big fines and other penalties for noncompliance early on to set a painful example for others. But it’s risky to count on that, as repeat offenses under some regulations can cost your company 2% of its annual revenue.

2.       Take advantage of cybersecurity frameworks

The Center for Internet Security (CIS) Critical Security Controls and the National Institute of Standards and Technology (NIST) CyberSecurity Framework (CSF) provide a useful model for assessing your current cyberdefenses and response mechanisms, and provide many useful tools and documents on best practices at no cost. NIST was recently updated as NIST CSF 2.0 in response to the above-cited trends.)

3.       Consider updating your email security stack as a triage measure

Typically, 70% to 90% of all successful cyberattacks use email-based phishing as their first point of entry, and new AI tools are making this attack vector even more effective. Reducing the number of malicious emails that hit your users’ inboxes is a high-yield measure to take first.

4.       If you haven’t deployed EDR yet, now is the time

EDR is specifically name-checked as a requirement in some compliance regulations. If you are behind on this issue, you are not alone: many smaller companies have struggled to gain the necessary security expertise to effectively deploy these tools, most of which were designed for better-staffed, larger enterprises. Consider EDR tools that are explicitly designed to address the skills shortage at smaller businesses with the help of automation and AI.

5.       Apply automation to your vulnerability scanning and patch management processes

The average time a business takes between receiving a patch from a vendor and installing is upwards of 90 days. Shrinking the window that cybercriminals have to exploit those openings is a simple, common-sense measure. By applying automation to your vulnerability scanning and patch management process, you can shorten the time your business is exposed to known vulnerabilities.

6.       Revisit your current policies and tech stack for backup and disaster recovery

The new regulatory updates all place much greater emphasis on your ability to bounce back after a cyberattack succeeds, and these remain essential tools for restoring critical (and possibly regulated) data and getting key business systems back online quickly. If you have previously resisted implementing disaster recovery as too complex and expensive, consider cloud-based disaster recovery services. Many of these are explicitly designed to be affordable and simple to manage for smaller businesses.

7.       Bolster your business case for acting sooner rather than later by raising the issue of cyber insurance

The insurance industry is also issuing stricter standards around cybersecurity and recovery for businesses that want to get or renew a cyber insurance policy, and the requirements often look very similar. Cyber insurers now expect your business to have EDR, MFA, automated vulnerability management, better backup, and formal incident response planning. Achieving compliance will help you qualify for or renew your cyber insurance policy and negotiate better rates.

Start getting educated on how your business can comply with the next version of regulations with the following complimentary resources:

White paper: Is your business ready for NIS 2 compliance?

Webinar replay: Applying the NIST CSF 2.0 to your company’s incident response planning

Webinar replay: Secure your business: Building resilience for 2024 and beyond    

Webinar replay: Achieving regulatory compliance in the face of AI-enhanced cybercrime