Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/21/2020
10:00 AM
Baan Alsinawi
Baan Alsinawi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Need for Compliance in a Post-COVID-19 World

With the current upheaval, business leaders may lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. That's a big mistake.

 It's clear that COVID-19 is changing the way people interact and work. But after the coronavirus subsides and life begins to return to normal, what will this "normal" look like?

Work as we know it will be changed forever. For example, employees once required to come into the office every day will embrace the convenience and freedom as well as personal time gained from teleworking. Businesses will have to re-examine current working conditions, such as the necessity of daily commutes, cramped cubicles, and rigid office hours, and more.

But cyberthreats will not change — and are likely to increase. Even before the pandemic, security experts estimated that cybercrime could cost the world trillions annually.  . Businesses of all sizes are targeted, with three out of five firms reporting an attack in 2019, according to the 2019 Hiscock Cyber Readiness Report. Though large companies are the most likely to be victims of cyberattacks, 47% of small companies reported an incident, and 63% of midsize companies reported attacks, the report found.

US and UK cybersecurity officials warn that state-backed hackers and online criminals are taking advantage of people's anxiety over COVID-19 to lure them into clicking on links and downloading attachments in phishing emails that contain malware or ransomware. Corporate networks could also be vulnerable to attacks if companies do not invest in providing their employees secure company laptops and set up virtual private networks (VPNs) or zero-trust access solutions.

With all of this upheaval, business leaders need to keep their guard up. It's easy to lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. But this would be a big mistake. Regulatory requirements are designed to ensure that organizations establish a solid cybersecurity program — and then monitor and update it on an ongoing basis. It's critical that organizations continue to stay compliant with applicable security standards and guidelines, especially those concerning policies and procedures, business continuity planning, and remote workers.

Compliance is best when it's continuously monitored, and it should be part of an overall risk management strategy. Here are common compliance questions I receive from C-suite clients and how I answer them.

1. What does compliance even mean?
Compliance is adhering to established rules and regulations, codes of conduct, laws, or organizational standards of conduct. In the context of cybersecurity, this means following guidelines established to protect the security and privacy of an organization's information system or enterprise.

2. To which regulations and organizational standards of conduct should I adhere?
Many public, private and nonprofit organizations follow the National Institute of Standards and Technology (NIST) requirements as a solid baseline for privacy and security. These standards emphasize the need to comply with and implement critical security measures, including access, awareness and training, configuration management, security assessment and authorization, contingency planning, incident response, identification and authentication, planning, personnel security, and system and information integrity. 

3. How do I know which requirements I should be compliant with?
Understanding that not all risks, missions, organizations, and agencies require the same level of protection, compliance requirements provide room for customization, so agencies and organizations can select the controls most appropriate to meet their goals and/or industry standards.  

A risk management framework addresses risk at the organization level, mission/business process level, and information system level. Start with a security categorization process based on determining the potential adverse impact for organizational information systems. The results of your organization's security categorization can help guide and inform you in selecting the appropriate security frameworks (i.e., safeguards and countermeasures) to adequately protect your information systems.

4. Are there any specific regulations that address remote work?
This March, NIST released a draft revision of NIST 800-124, Rev 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise.

NIST also developed NIST 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.

Both these NIST guidelines are mapped to applicable NIST SP 800-53 security controls and Cybersecurity Framework Version 1.1 functions, categories, and subcategories so you can check your compliance with these controls and update them as necessary.

5.  What are my risks if I do not remain compliant?
If you allow your organization's security measures to slip, you can become vulnerable to hackers and bad actors who are experts at finding and exploiting these weaknesses. There's a saying among cybersecurity experts: Organizations have to be right every time; hackers only have to be right one time.

6. What other considerations should I factor in when developing an appropriate risk management strategy?
It's important to consider the appropriate governance, risk, and compliance strategy and tie it to your organization's desired business outcomes so you can operate without interruption, regardless of the disruption.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Baan Alsinawi is the Founder and Managing Director of TalaTek, LLC. Ms Alsinawi's vision for TalaTek was the need for an integrated platform that could both control security and minimize risk, and which could be implemented to ensure compliance by agencies and organizations. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...