Every cybersecurity program should include regulatory compliance

Companies commonly focus on capability when constructing cybersecurity programs. They ensure businesses have components that assess and address risks, implement access management, and respond to incidents.

To be complete, however, a cybersecurity program must also address regulatory compliance. A comprehensive program will not only keep organizations safe from unauthorized access but also prevent costly damage that can be caused by regulatory penalties.

Take our survey: Speak up, add your voice to our 2024 State of Initiative Report

Training is a top consideration in cybersecurity compliance. A growing number of requirements mandated by government agencies and third-party providers hold organizations accountable for training their employees on cybersecurity controls. The following explores some key regulatory duties and presents some steps that should be taken to stay in compliance.

Understanding the global regulatory net

Most companies in today’s marketplace conduct cross-jurisdictional business. Online activity allows anyone from any jurisdiction anywhere in the world to become a customer. Consequently, companies must consider the controls that apply not only to where they are located but also those that might be triggered by the location of their customers.

The General Data Protection Regulation (GDPR), a law in European Union countries, is an example of a cybersecurity measure that addresses the cross-jurisdictional nature of today’s business dealings.

Considered the most stringent privacy and security law in the world, GDPR was implemented by the E.U. to protect its citizens from cyberattackers and other threats to data security. Any company, no matter where it is located, is subject to the regulation’s requirements if it processes the personal data of EU residents.

Podcast: Tighter cybersecurity starts with better password practices

Complying with the GDPR requires having a sound mix of technical and organizational controls in place. Controls such as firewalls, encryption, and intrusion detection and prevention systems are critical for compliance but insufficient. Programs must also address the human—or organizational—element.

In organizational controls, the GDPR requires companies to provide “the appropriate data protection training to personnel having permanent or regular access to personal data.” Employees must be trained on the skills needed to identify and prevent attacks, how to know when defenses have been breached, and the proper methods for reporting those breaches.

In the U.S., the California Consumer Privacy Act (CCPA) addresses the same concerns covered by the GDPR in the E.U. but applies them to data provided by California residents. It specifies the need for companies to put in place “reasonable security procedures and practices” to protect consumer data. Training programs are considered an important part of those procedures and practices, providing companies with the skills they need to repel attacks.

On the federal level in the U.S., the Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to take steps to ensure patient data security. HIPAA calls for “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information” to be implemented by the companies subject to the act. Cybersecurity training related to HIPAA must also help health care employees understand the vulnerabilities introduced by giving patients access to secure information.

As companies seek to stay in compliance, they also must address the security and training requirements put in place by third-party providers. For example, the credit card companies (Visa, Mastercard, and American Express) require other companies that use their services to comply with the Payment Card Industry Data Security Standard, which requires “security awareness training,” and says companies should address threats like phishing and other social engineering attacks.

Developing training that ensures compliance

Cybersecurity training is unlike most other forms of compliance training because it must involve every employee. Simply training a chief information security officer or their department is not sufficient. A cyberattack can target any employee, from a new hire on his first day to the CEO, meaning everyone must be included in efforts to ensure systems are kept secure.

Certain cyberattacks target technical controls. Brute force attacks, for example, seek to gain unauthorized access to systems by using computing power to identify working passwords. Many more attacks, however, target employees through social engineering, with recent statistics showing that 98% of cyberattacks use social engineering to gain unauthorized access. If employees are unaware of tactics like phishing, pretexting, or scareware, they can easily fall victim.

The overall goal of cybersecurity training should be creating a culture in which everyone understands and is committed to contributing to security. Neither compliance nor cybersecurity success can be achieved strictly through technological means. The human element must be addressed through effective training if companies are to provide “reasonable security procedures and practices” and “security awareness training.”

Regulators around the world have made it clear that companies must commit to strict security controls if they expect to participate in the global digital economy. They have also made it clear that a key component of those controls is providing cybersecurity training that is ongoing, engaging, and extended to all members of the organizations. Companies that fail to effectively foster awareness will not be considered to be compliant.