What Regulatory Compliance Requirements Are You Forgetting?
If you think banks and retailers are the main targets of cybercrime, think again. Health care organizations and educational institutions are attacked more often than retailers and banks combined.
According to security firm Trend Micro, health care organizations made up 30 percent of all cyberattacks this past decade. Many of these enterprises are treasure troves of information subject to regulatory compliance, including personally identifiable information (PII) like names, addresses, Social Security numbers and dates of birth, along with credit card information, insurance ID numbers and personal health information (PHI). But unlike financial institutions, which spend 12 to 15 percent of their IT budgets on security, health care organizations allocate less than 6 percent to keeping data safe. That’s a problem.
No matter what industry you work in, regulatory compliance is crucial to success. If your business fails to comply, reputational damage, potential litigation and serious financial penalties may follow. In addition to an ethical obligation to protect consumer and employee data, most businesses are subject to a wide range of laws and rules. These standards protect both business and individual information.
Crucial Regulatory Compliance Standards
Global businesses operate in a complex web of requirements that varies geographically. To make sure your organization is in line, consider how the most common regulations apply to your business.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA requires the protection of PHI by health care organizations and business partners with access to patient information. It also applies to human resources departments and entities that handle health insurance information.
- Payment Card Industry Data Security Standard (PCI DSS): These standards are designed to protect consumer credit card information. They affect online, telephone and in-person transaction processing and storage of credit card information.
- Sarbanes-Oxley Act (SOX): For IT, SOX compliance guidelines around records retention, destruction protection and integration with applications are highly relevant, as are IT functions related to the timely disclosure of financial information and protection of financial records from deletion or alteration.
- Gramm-Leach-Bliley Act: In addition to requiring businesses to issue annual privacy notices, Gramm-Leach-Bliley requires organizations to have security strategies for protecting financial information.
- Family Education Rights and Privacy Act (FERPA): Although FERPA was initially designed to protect student educational records from parent access, new guidance driven by the growth of online education works to protect the security and privacy of student data.
- Bank Secrecy Act: Designed to combat money laundering and terrorist financing, this law requires banks to preserve transaction data and report suspicious activities to the appropriate authorities.
- Monetary Authority of Singapore (MAS) Act and Regulations: Businesses conducting financial transactions in Singapore must comply with MAS risk management practices.
- Basel III: To cushion the global banking system against significant shocks, international financial institutions must preserve and protect financial data related to their risk profile and liquidity.
The Most Vulnerable Data
Attackers focus most on obtaining the data that will bring them the greatest return, so Trend Micro ranks the vulnerability of stolen data types according to the price they bring on the black market. Passwords are most valuable, averaging $75.80, followed by health information at $59.80 and Social Security numbers at $55.70. Credit reports from people with high FICO scores are sold for $25, and scans of documents like passports and driver’s licenses range in price from $10 to $25. Attackers may spend months targeting one high-value user’s password to open the floodgates to other types of data.
“If the aim is to get educational or health records, having a person’s PII provides the attacker a higher chance of accessing those bits of information,” Trend Micro explains. “If attackers really want to gain access to the proverbial keys to the kingdom, they would go for credentials — more specifically, the credentials of a network administrator.”
To protect this crucial data, a resiliency services provider can address specific regulatory compliance needs or help you prepare for an audit. One of the quickest ways to get serious about security is to implement the 20 Center for Information Security Critical Security Controls, formerly known as the SANS 20, a process that can cut your data security risk by 94 percent.