Manage Learn to apply best practices and optimize your operations.

How regulation should -- and shouldn't -- influence cybersecurity policy

Recent breaches display the importance of cybersecurity policy, and regulations provide a decent data protection roadmap. But compliance does not automatically equal security.

As technology has advanced during the past few decades, cybersecurity policies have progressed as well, and enterprises are generally safer now from malware and outside attack than ever before. But the stronger defensive technologies and internal security policies get, the more sophisticated cybercriminals become.

John Weathington
John Weathington

Most of us are familiar with the recent, high-profile data breaches affecting companies such as Sony Corp., EMC Corp.'s RSA Security division and, most recently, Global Payments Inc. These hacks cost companies hundreds of millions of dollars every year. Unfortunately, there's still no way to completely prevent attacks or totally insulate your business from a damaging data breach. But there are cybersecurity policy actions you can take to improve your chances. The first thing to understand? Adhering to compliance regulations won't really protect you.

For example, if you read through the Federal Information Security Management Act of 2002 -- the government's own information security regulation -- you won't find anything specific about what federal agencies must do to protect their information. It simply states that certain commonsense structures, such as policies, procedures and IT controls, should be in place.

What the regulation does do, however, is prevent overly negligent behavior, with penalties and fines for crossing a very low threshold. You'll find similar elements within the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and most other privacy-related regulations issued by the government.

Knowing risks is a key ingredient for building a solid internal security policy.

The good news is that compliance with these regulations is fairly easy. The bad news? They're nowhere near sufficient as comprehensive data security guidelines. Most of the big companies involved in recent high-profile data breaches were in compliance with government regulations. Heartland Payment Systems Inc. didn't pay over $100 million in penalties and fines to the government because they failed to comply with regulations. They paid damages to credit card companies like Visa and MasterCard because they were hacked. All the while, they were given a clean bill of health by Payment Card Industry data security compliance auditors.

A better strategy is to build a solid, prevention-focused internal security policy, because prevention addresses risk proactively. For instance, a common recommendation for dealing with cyberattacks is to build a data breach action plan to contain damage after a breach is discovered. This is reasonable advice, but if you're at the point where the plan must go into action, the breach has already occurred. It's far better to never have the data breach at all.

Building an internal IT security policy around prevention starts with asking the question, "What would cause a data breach at my company?" It continues with, "How can I prevent these causes?" and, finally, "How should my operation look if I were effectively preventing these causes?"

Build internal security around regulation

Although adhering to regulations does not provide adequate protection against cyberattacks, they can be a good starting point, because regulations provide clues as to what your actual risks are. Knowing risks is a key ingredient for building a solid internal security policy. To uncover risk, start by examining a piece of the regulation and asking, "What risk (i.e. uncertain event) is this regulation trying to control?"

For example, HIPAA's technical security regulations state that data involving protected health information (PHI) must be secured from intrusion. It goes on to talk about encryption for network transmission. But in a closed system with proper access control, encryption is optional. What risk are we trying to prevent? It's an unauthorized person accessing private data, regardless of how they get it.

If we focus on the real risk of an unauthorized person accessing private data, we can start to build an internal security policy around that risk. One factor to consider is the medium on which private data resides (e.g., hard drive, flash drive, CD-ROM). Regardless of physical access to the media, if the data is not usable, then it's not accessible. One preventive control is to use encrypted media with tightly controlled passkeys distributed only to authorized personnel. This could be the beginning of your new internal security policy: always use encrypted media when PHI is involved.

Notice how we arrived at this policy through a specific risk, and how it's different from the original regulation, which seems to be a little lax about encrypted hard drives. If BlueCross BlueShield of Tennessee had gone through this process, they probably would not have had 57 unencrypted hard drives with PHI data stolen from their facility, and they also probably would not have had to pay out $1.5 million to the Department of Health and Human Services for their data breach.

Data breaches will continue regardless of what measures companies take -- cybercriminals always stay at least one step ahead of the cybersecurity companies – but, like most criminals, they usually pick their easiest targets. The individuals that hacked Heartland Payment Systems didn't pierce their firewall with sophisticated algorithms reserved for the super-intelligent -- they initially tunneled in using a simple SQL injection hack.

Even if you keep your security gate high by maintaining good internal policy, you can still be hacked. But why would cybercriminals prey on those companies when there are easier targets out there? Remember: The best data breach is the one that never happens.

John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. Write to him at

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.