Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/21/2020
10:00 AM
Baan Alsinawi
Baan Alsinawi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Need for Compliance in a Post-COVID-19 World

With the current upheaval, business leaders may lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. That's a big mistake.

 It's clear that COVID-19 is changing the way people interact and work. But after the coronavirus subsides and life begins to return to normal, what will this "normal" look like?

Work as we know it will be changed forever. For example, employees once required to come into the office every day will embrace the convenience and freedom as well as personal time gained from teleworking. Businesses will have to re-examine current working conditions, such as the necessity of daily commutes, cramped cubicles, and rigid office hours, and more.

But cyberthreats will not change — and are likely to increase. Even before the pandemic, security experts estimated that cybercrime could cost the world trillions annually.  . Businesses of all sizes are targeted, with three out of five firms reporting an attack in 2019, according to the 2019 Hiscock Cyber Readiness Report. Though large companies are the most likely to be victims of cyberattacks, 47% of small companies reported an incident, and 63% of midsize companies reported attacks, the report found.

US and UK cybersecurity officials warn that state-backed hackers and online criminals are taking advantage of people's anxiety over COVID-19 to lure them into clicking on links and downloading attachments in phishing emails that contain malware or ransomware. Corporate networks could also be vulnerable to attacks if companies do not invest in providing their employees secure company laptops and set up virtual private networks (VPNs) or zero-trust access solutions.

With all of this upheaval, business leaders need to keep their guard up. It's easy to lose focus and push off implementing security measures, managing risk, and keeping up with compliance requirements. But this would be a big mistake. Regulatory requirements are designed to ensure that organizations establish a solid cybersecurity program — and then monitor and update it on an ongoing basis. It's critical that organizations continue to stay compliant with applicable security standards and guidelines, especially those concerning policies and procedures, business continuity planning, and remote workers.

Compliance is best when it's continuously monitored, and it should be part of an overall risk management strategy. Here are common compliance questions I receive from C-suite clients and how I answer them.

1. What does compliance even mean?
Compliance is adhering to established rules and regulations, codes of conduct, laws, or organizational standards of conduct. In the context of cybersecurity, this means following guidelines established to protect the security and privacy of an organization's information system or enterprise.

2. To which regulations and organizational standards of conduct should I adhere?
Many public, private and nonprofit organizations follow the National Institute of Standards and Technology (NIST) requirements as a solid baseline for privacy and security. These standards emphasize the need to comply with and implement critical security measures, including access, awareness and training, configuration management, security assessment and authorization, contingency planning, incident response, identification and authentication, planning, personnel security, and system and information integrity. 

3. How do I know which requirements I should be compliant with?
Understanding that not all risks, missions, organizations, and agencies require the same level of protection, compliance requirements provide room for customization, so agencies and organizations can select the controls most appropriate to meet their goals and/or industry standards.  

A risk management framework addresses risk at the organization level, mission/business process level, and information system level. Start with a security categorization process based on determining the potential adverse impact for organizational information systems. The results of your organization's security categorization can help guide and inform you in selecting the appropriate security frameworks (i.e., safeguards and countermeasures) to adequately protect your information systems.

4. Are there any specific regulations that address remote work?
This March, NIST released a draft revision of NIST 800-124, Rev 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise.

NIST also developed NIST 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.

Both these NIST guidelines are mapped to applicable NIST SP 800-53 security controls and Cybersecurity Framework Version 1.1 functions, categories, and subcategories so you can check your compliance with these controls and update them as necessary.

5.  What are my risks if I do not remain compliant?
If you allow your organization's security measures to slip, you can become vulnerable to hackers and bad actors who are experts at finding and exploiting these weaknesses. There's a saying among cybersecurity experts: Organizations have to be right every time; hackers only have to be right one time.

6. What other considerations should I factor in when developing an appropriate risk management strategy?
It's important to consider the appropriate governance, risk, and compliance strategy and tie it to your organization's desired business outcomes so you can operate without interruption, regardless of the disruption.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Baan Alsinawi is the Founder and Managing Director of TalaTek, LLC. Ms Alsinawi's vision for TalaTek was the need for an integrated platform that could both control security and minimize risk, and which could be implemented to ensure compliance by agencies and organizations. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...