Cybersecurity compliance starts with creating controls. Most standards and regulations require you to set up procedures, policies, and protocols. Nonetheless, the most important thing is to ensure that all stakeholders comply with procedures and protocols.
Company policies are of great significance. They act as a written compliance guide. Often, compliance requirements and regulations require you to have written policies, which form the basis of your security controls. The conditions primarily exist to help senior management understand their job as well as execute their oversight roles effectively.
Nevertheless, written documents can only appraise intent. For instance, you may write an in-house policy that requires employees to establish and use strong passphrases. Similarly, you can set specific controls relating to the number of unique characters and letters. However, not everyone may understand where the path of good intentions leads them.
According to the 2018 Global Password Security Report, employees in most organizations do not create robust and secure passphrases. A whopping 50% of employees use similar passwords for their work and personal accounts, something that significantly compromises their data.
Why is Compliance Important?
According to the Healthcare Insurance Portability and Accountability Act (HIPAA), healthcare providers should protect both electronic PHI (ePHI) and protected health information (PHI). Even though HIPAA doesn’t propose prescriptive password requirement, HiTRUST and NIST Special Publication 800-63B highlight the need for password complexity controls.
HiTRUST aligns to NIST and requires middle-level healthcare companies to have passwords that are protected from unauthorized modification or disclosure during storage and transmission. The organizations are also required to create temporary passwords, which are unique and cannot be guessed by individuals who have an interest in their data.
To put this into perspective, a simple password like 12345 is guessable and therefore, having such can lead to non-compliance. As far as HIPAA is concerned, non-compliance attracts hefty fines. For instance, the minimum penalty for an accidental violation is $100 per violation. Repeat violations can attract maximum annual fines of up to $25,000.
Often, violations in the healthcare industry result from criminals obtaining passwords. Even so, weak access controls are regarded as willful neglect. In such cases, fines can be increased to at least $50,000 per violation and a maximum annual fine of $1.5 million. The hefty penalties that accompany non-compliance highlight the need to sensitize your employees about compliance.
Steps to Follow During Compliance
The first step towards compliance is ensuring that your organization’s employee handbook stipulates your compliance requirements. On its part, the c-suit needs to establish clear objectives, including conditions that govern the use of devices while at work.
The HR department also needs to be brought on board. HR is your most convenient gateway to employees. The department recruits new team members and therefore sets the tone of the compliance program that you put in place. For this reason, the HR department needs to ensure that your compliance policies and procedures are communicated to new employees as a core component of the onboarding process.
In partnership with the HR department, you should establish clear procedures relating to employee misconduct. You may have clear compliance policies, but nonetheless, employees could still ignore them. Without processes that govern employee noncompliance, your organization will be at risk. Therefore, you should outline steps that ought to be taken in case an employee ignores your cybersecurity policies.
For instance, password security problems could lead to verbal warnings. Nonetheless, if an employee shares a password with outsiders, a written notice will be more appropriate. Similarly, you should consider the number of policy violations that you can allow. Another crucial consideration in determining the penalty that employees will be charged if they fail to use malware or a firewall.
In as much as having compliance policies and training new team members will ensure that employees protect your company’s data, you should give your requirements teeth. This will go a long way in solidifying your commitment towards cybersecurity.
Training Staff to be Security-First Minded
It is advisable to come up with an ongoing training requirement bearing in mind the fact that cybersecurity changes daily. A done-and-dusted approach to employees’ cybersecurity training will not protect you let alone helping you maintain compliance. Probably, you will always update old policies or establish new ones. This means that employees need to review policies at least yearly or when you make any additions or changes.
Your ongoing training should factor in cybersecurity issues based on individual employees’ job descriptions. HR and marketing employees handle different information. This means that they also face different risks. Therefore, role-based training is required to secure your data.
Regardless of how good you are at overseeing your employees, your compliance efforts can be futile if you fail to document whatever you do. Recording everything will help you prove your oversight and enables you to handle any threats to your data environment more effectively.
You may also like: Securing Your Business’ Cloud
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. You can learn more at ReciprocityLabs.com.