By Phil Bianco, Chief Technology Officer, Melillo Consulting
It’s challenging to implement solid security practices in any market, but when you work in a regulated industry, it can be even more daunting. Regulatory compliance comprises a set of rules that must be followed to protect sensitive information. Businesses that work with digital assets, consumer data, health regulations, employee safety, and private communications are subject to regulatory compliance. Failure to comply can be extremely costly. The utility, banking, and pharmaceutical markets are among those required to gather and protect data in very specific ways, because the information they handle is so sensitive.
Three main challenges security solution providers face include:
- Unencrypted data
- Malware protection
- Unsecure third-party services or vendors
How can regulated industries protect against those threats and mitigate risk? Let’s look at each of these three challenges.
Unprotected sensitive data is vulnerable to identity theft, fraud, and theft of finance from customers as well as employees. Smaller regulated businesses are often a target because hackers believe their networks are less protected, but large businesses are at risk also, generally because they fail to encrypt their data or protect the encryption keys. Fines for a data breach can be crippling, but the costs can also include undergoing – and paying for – a forensics investigation, providing credit monitoring for customers, lost revenue due to reputation damage and litigation costs.
Professionals can fortify their company’s security weaknesses with email filters, antivirus software, cloud-based backup solutions, and more. They can also recommend new access control levels ensuring that employees are only using the parts of the network necessary for their work. Routine audits for all businesses are a good idea to keep systems current and prepared for new malware and other cyber threats. For regulated industries, audits may be required at regular intervals. For instance, Sarbanes-Oxley (SOX) compliance requires an annual audit in which a public company must provide proof of accurate, data-secured financial reporting. While the main objective of a SOX compliance audit is to verify a company's financial statements, cybersecurity is becoming increasingly important, because the infrastructure handling financial data is managed by IT departments.
Unsecure Third-Party Services or Vendors
It’s common for financial institutions to have partnerships or use contract services to lower operating costs. The trouble is that third-party entities can get access to private data and internal systems which is a huge liability. Sustaining an outage is extremely costly: Some estimate that one minute of downtime can cost as much as $5,500. Several years ago, mega-retailer Target was attacked when hackers gained access to their network through a third-party heating and ventilation contractor. Using the HVAC organization’s credentials to install malware on POS devices, credit card information was stolen, which affected thousands of customers. Regulated businesses often centrally manage third parties, require continuous monitoring, and create protocols to mitigate these risks.
One approach Melillo uses to help clients that operate in regulated industries to become more secure is to standardize processes and streamline compliance activities in their organizations with a tool like Micro Focus ALM/Quality Center which enables us to define compliance requirements, test against them, and track the results.
Regulated industries have a responsibility to their customers, suppliers, and employees to protect the sensitive data they store. When the risk fails to be properly assessed, there are costly consequences – but those financial expenses and subsequent reputation damage can be avoided with the proper planning.