While speaking with managed service providers (MSPs) on whether or not they are offering security to their SMB customers, I often end up in a conversation dealing with compliance. The subject of compliance is often at the forefront of partners and their customers within industries such as healthcare, finance, government, and retail. For those verticals, meeting compliance standards with industry regulations is essential for remaining in business.
Compliance doesn’t mean your customers are secure
However, being compliant does not necessarily equate to being secure. While it is true that being compliant can certainly help prevent organizations from having to pay hefty fines and fees, compliance also works to establish a baseline of security in the form of governance over daily operational items and business practices. However, compliance alone is not enough. If all you are doing to keep you and your customers safe is relying on compliance, you will eventually regret it.
One specific and key reason for this is that compliance primarily relates to items that are already defined, such as policies, procedures, employee ethics, and of course administrative, physical, and technical controls. Compliance works by allowing us to place a scope around such predefined items in order to measure both the effectiveness of controls and how well we adhere to such controls. In other words, compliance does not take into account all of the potential risks to which you and your customers are exposed. Again, compliance does not equal security.
Security, on the other hand, incorporates a collection of technical systems, specific tools, and process controls designed to shield and protect information and technology assets. The goal of security is to minimize damage from known and unknown risks and threats, such as a phishing campaign, an undefined product vulnerability, or new variants of malicious code. In this case, security contemplates risk factors as a measure of impact vs. probability.
The relationship between compliance and security is best explained with an analogy. Let’s say that the primary thing you do to stay healthy is to follow a strict, nutritionist-approved diet. A healthy diet is a good practice and will likely help you achieve your health goals. However, if you do not know your family’s medical history, or choose to ignore it, you may find that even with your well-balanced your diet, you still have high cholesterol that requires medication to keep it under control. The bottom line is that you need to consider both your diet and your family history to address and maintain a clean bill of health. As such, compliance and security are diverse components of a vital and essential business approach, and MSPs that primarily concentrate upon compliance requirements, without respect to security, may be left open to risks outside their focus. Or worse, those MSPs may be leaving their customers open to security risks.
Over the years, it has also been suggested that if you are secure then naturally you are compliant, as security is more comprehensive. However, this has never really been true. The logic behind this is that while an MSP may not have to adhere to any regulatory or contractual compliance requirements, they will likely, at some point in time, have to abide to breach notification or privacy laws from within their home state or any states where they currently do business. In the next few years, more states are slated to pass legislation regarding privacy, as California did on January 1st by enacting the California Consumer Privacy Act (CCPA). Such legislative activity is expected to bring additional compliance requirements to both MSPs and SMB customers.
So, what does this mean for you and how should you address this?
The bottom line is to be both compliant and secure. While there may be some overlap, both compliance and security are necessary to maintain an “audit-ready” posture for compliance, as well as to sustain a “low-risk” outlook from a security perspective. To unify and attain both of those positions, make certain that you fully understand all aspects of your customers’ business and operations. By doing so, you can define the compliance landscape and provide a comprehensive set of the security controls necessary to protect both your business and the continuity of your customers’ operations.
The first step of being both compliant and secure is to implement the necessary controls. Once implemented, ongoing monitoring and regular testing will ensure that the controls remain working as designed. You may wish to consider semi-annual testing for both your security controls and your incident response plan. As a final step, engage with a law firm, one astute in cybersecurity litigation, and have them review your cyber-risk insurance policy before you sign one. This is important, as your attorney will likely be the one defending that policy if you have an issue or claim.
Photo: designer491 / Shutterstock.