Why is compliance important when I haven’t been breached?

Posted by Robert Picard, Demand ITS 23-09-2020 03:23 PM

There’s a good chance you’ve heard about the massive security breaches affecting large companies such as Garmin, Equifax, Desjardin, and Lifelabs. Damage from these breaches will impact their businesses for years to come in a multitude of ways.

You likely have not heard about the thousands of small and medium businesses that have also had breaches, many of which were never detected. If your business was one of them, would you know what your risk and responsibilities are?

In Canada, we have several regulations regarding the protection of Personally Identifiable Information (PII) and Personal Health Information (PHI). If you deal with international customers, you may also fall under non-Canadian regulations. Some of the most common regulations you may have heard of are:

  1. The Québec Private Sector Privacy Act;
  2. The Personal Information Protection and Electronic Documents Act (PIPEDA);
  3. The Personal Health Information Protection Act (PHIPA);
  4. Payment Card Industry Data Security Standard (PCI DSS);
  5. General Data Protection Regulation (GDPR).

Remember: It’s the law, it’s not optional
By ignoring or neglecting the appropriate legal mandates, you open your business up to an increased risk of an audit, hefty violation penalties, potential litigation and severe reputation damage.

The Buck Stops with you!
That’s right; regardless of whom you work with, ultimately, it’s your responsibility to ensure you are compliant with the law. While your vendors may share some responsibility in the event of a breach, it doesn’t lessen your burden.

So, what do you do?
Many of the rules and regulations require you to demonstrate that you took reasonable effort to ensure compliance, but how?

We demonstrate compliance with documentation, procedures, policies, and monitoring. It’s not a one-off exercise but an on-going effort that needs to become part of your business to help manage risk.

How can we do that?
There are several frameworks and certifications you can adopt, and they all have a different methodology. One of those frameworks is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

The NIST CSF exists to streamline cybersecurity for private-sector businesses. The NIST CSF is a set of voluntary standards, best practices, and recommendations designed to help your business be prepared for and reduce the risks from cyberattacks.

The NIST CSF has five critical functions or best practices, called the Framework Core. These functions work concurrently to represent a complete security lifecycle. They are imperative for a well-rounded security posture and successful handling of cybersecurity threats.

NIST CSF is not a checklist, and it’s not a one time exercise. The security requirements of your business are likely not to be the same as mine. For this reason, the NIST CSF can be intentionally ambiguous. That’s why working with a professional IT Partner like your local Millennium Micro Group member is critical to success.

Don’t wait. Contact us to start implementing NIST cybersecurity best practices today!