Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/21/2020
10:00 AM
Baan Alsinawi
Baan Alsinawi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Need for Compliance in a Post-COVID-19 World

With the current upheaval, business leaders may lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. That's a big mistake.

 It's clear that COVID-19 is changing the way people interact and work. But after the coronavirus subsides and life begins to return to normal, what will this "normal" look like?

Work as we know it will be changed forever. For example, employees once required to come into the office every day will embrace the convenience and freedom as well as personal time gained from teleworking. Businesses will have to re-examine current working conditions, such as the necessity of daily commutes, cramped cubicles, and rigid office hours, and more.

But cyberthreats will not change — and are likely to increase. Even before the pandemic, security experts estimated that cybercrime could cost the world trillions annually.  . Businesses of all sizes are targeted, with three out of five firms reporting an attack in 2019, according to the 2019 Hiscock Cyber Readiness Report. Though large companies are the most likely to be victims of cyberattacks, 47% of small companies reported an incident, and 63% of midsize companies reported attacks, the report found.

US and UK cybersecurity officials warn that state-backed hackers and online criminals are taking advantage of people's anxiety over COVID-19 to lure them into clicking on links and downloading attachments in phishing emails that contain malware or ransomware. Corporate networks could also be vulnerable to attacks if companies do not invest in providing their employees secure company laptops and set up virtual private networks (VPNs) or zero-trust access solutions.

With all of this upheaval, business leaders need to keep their guard up. It's easy to lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. But this would be a big mistake. Regulatory requirements are designed to ensure that organizations establish a solid cybersecurity program — and then monitor and update it on an ongoing basis. It's critical that organizations continue to stay compliant with applicable security standards and guidelines, especially those concerning policies and procedures, business continuity planning, and remote workers.

Compliance is best when it's continuously monitored, and it should be part of an overall risk management strategy. Here are common compliance questions I receive from C-suite clients and how I answer them.

1. What does compliance even mean?
Compliance is adhering to established rules and regulations, codes of conduct, laws, or organizational standards of conduct. In the context of cybersecurity, this means following guidelines established to protect the security and privacy of an organization's information system or enterprise.

2. To which regulations and organizational standards of conduct should I adhere?
Many public, private and nonprofit organizations follow the National Institute of Standards and Technology (NIST) requirements as a solid baseline for privacy and security. These standards emphasize the need to comply with and implement critical security measures, including access, awareness and training, configuration management, security assessment and authorization, contingency planning, incident response, identification and authentication, planning, personnel security, and system and information integrity. 

3. How do I know which requirements I should be compliant with?
Understanding that not all risks, missions, organizations, and agencies require the same level of protection, compliance requirements provide room for customization, so agencies and organizations can select the controls most appropriate to meet their goals and/or industry standards.  

A risk management framework addresses risk at the organization level, mission/business process level, and information system level. Start with a security categorization process based on determining the potential adverse impact for organizational information systems. The results of your organization's security categorization can help guide and inform you in selecting the appropriate security frameworks (i.e., safeguards and countermeasures) to adequately protect your information systems.

4. Are there any specific regulations that address remote work?
This March, NIST released a draft revision of NIST 800-124, Rev 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise.

NIST also developed NIST 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.

Both these NIST guidelines are mapped to applicable NIST SP 800-53 security controls and Cybersecurity Framework Version 1.1 functions, categories, and subcategories so you can check your compliance with these controls and update them as necessary.

5.  What are my risks if I do not remain compliant?
If you allow your organization's security measures to slip, you can become vulnerable to hackers and bad actors who are experts at finding and exploiting these weaknesses. There's a saying among cybersecurity experts: Organizations have to be right every time; hackers only have to be right one time.

6. What other considerations should I factor in when developing an appropriate risk management strategy?
It's important to consider the appropriate governance, risk, and compliance strategy and tie it to your organization's desired business outcomes so you can operate without interruption, regardless of the disruption.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Baan Alsinawi is the Founder and Managing Director of TalaTek, LLC. Ms Alsinawi's vision for TalaTek was the need for an integrated platform that could both control security and minimize risk, and which could be implemented to ensure compliance by agencies and organizations. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.