If you follow the news, you probably heard about the data breaches affecting large companies recently like Garmin, Equifax, Desjardin, and Lifelabs. In some cases, the companies in question may have paid out millions in ransom and fined under regulations for data protection. We may never know the remediation costs in technology, time and lost revenue that impacted these environments.
This type of damage will have an impact on their operations for years to come in unpredictable ways.
You won’t know about the thousands of small and medium businesses that have also had breaches, and in some cases, they aren’t even aware of them yet. If your business was one of them, do you know what your risk and responsibilities are?
In Canada, we have several regulations regarding the protection of Personally Identifiable Information (PII) and Personal Health Information (PHI). If you deal with international customers, you may also fall under non-Canadian regulations. Some of the most common regulations you may have heard of are:
· the Québec Private Sector Privacy Act
· the Personal Information Protection and Electronic Documents Act (PIPEDA)
· the Personal Health Information Protection Act (PHIPA)
· Payment Card Industry Data Security Standard (PCI DSS)
· General Data Protection Regulation (GDPR)
Remember: It’s the law, it’s not optional.
By ignoring or neglecting the appropriate legal mandates, you open your business up to an increased risk of an audit, hefty violation penalties, potential litigation and severe reputation damage.
The Buck Stops with you!
That’s right; regardless of whom you work with, ultimately, it’s your responsibility to ensure you are compliant with the law. While your vendors may share some responsibility in the event of a breach, it doesn’t lessen your burden.
So, what do you do?
Many of the rules and regulations require you to demonstrate that you took reasonable effort to ensure compliance, but how?
We demonstrate compliance with documentation, procedures, policies, and monitoring. It’s not a one-off exercise but an on-going effort that needs to become part of your business to help manage risk.
How can we do that?
There are several frameworks and certifications you can adopt, and they all have a different methodology. One of those frameworks is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
NIST CSF aligns with PIPEDA/PHIPA requirements
The NIST CSF exists to streamline cybersecurity for private-sector businesses. The NIST CSF is a set of voluntary standards, best practices, and recommendations designed to help your business be prepared for and reduce the risks from cyberattacks.
The NIST CSF has five critical functions or best practices, called the Framework Core. These functions work concurrently to represent a complete security lifecycle. They are imperative for a well-rounded security posture and successful handling of cybersecurity threats.
NIST CSF is not a checklist, and it’s not a one time exercise. The security requirements of your business are likely not to be the same as mine. For this reason, the NIST CSF can be intentionally ambiguous.
That’s why working with a professional IT Partner like Demand ITS Inc. is critical to success.