If your business stores credit card information (PCI), works with sensitive health care documents (HIPAA), or works with personal financial information (GLBA), this article is for you.
Compliance regulations can be tricky to navigate, especially when you’re running a small-to-medium business and often juggling multiple roles. The troubling thing is that compliance isn’t simply a “one and done” deal. You have to monitor your business at all times.
It’s also possible that you’re currently outsourcing your IT services to a third-party provider. Inherently, this is not a problem, but take caution if you’re using a break-fix or hourly billed model.
Why Break/Fix is Risky for Compliance-Based Businesses
The nature of break/fix services rests solely on the premise that you are responsible for letting your IT provider know when there’s a problem. This works for organizations who don’t encounter IT issues often, who have the cash to spend on unexpected IT costs, or who have an in-house IT person who just needs occasional help from time to time.
The trouble is that you may not know when you are in violation of a regulatory compliance law, which puts you at incredible risk for huge fines, litigation, and loss of business. Additionally, you likely don’t know where the weaknesses are in your IT that leave you prone to attacks, and a break/fix arrangement isn’t responsible to look for them.
Let’s Look at the Repercussions for Regulatory Compliance Failure
Whether you fall under HIPAA, PCI, GBLA or another form of compliance, failure to meet your requirements results in hefty fines.
When you’re in violation of HIPAA compliance, there are two segments with different penalty amounts for ignorance or neglect, the first up to 100k per year, and the second up to 1.5 million per year.
More troubling is that you and your business can be charged for violations, resulting in both criminal and civil penalties.
Example: Failing to perform an organization-wide risk analysis that measures the potential for protected health information (PHI) to be vulnerable to exposure.
Fines for failing to meet PCI regulations range from 5k to 10k, with the possibility of lawsuits and damage to your business reputation.
Example: Failing to implement access control protocols and changing default settings. These are just two examples. A full list can be found here.
Grahm-Leech-Blighly Act penalties are two-fold: the organization faces up to 100k and officers/directors can be charged up to 10k each, in addition to lawsuits and damaged business reputation.
Example: Failing to provide consumers with prior notice of information-sharing policies or failing to allow for an opt-out of private information sharing with non-affiliated entities.
While the fines due to violations are high, that doesn’t begin to scratch the surface of the cost of downtime your business will face while waiting to get the issue addressed, or the cost to your business to recover from a breach in security. If you don’t have someone constantly monitoring your IT, how can you know if you’re at risk until after it’s too late?
How to Determine Your Risk
First, you need to know where your gaps are, how many you have, and how to fix them. There are a few different types of cybersecurity tests to use, but we highly recommend a Vulnerability Scan, as it goes into more specifics than a Penetration Test. You can learn about the three different ways to test your cybersecurity here.
Once you’ve determined where you have holes (nearly every business does), your IT provider or your Vulnerability Scan team can close those gaps.
Once you’ve scanned and repaired, it doesn’t stop there. You need to keep a wary, watchful eye on your data as hackers love to target businesses because of the wealth of personal data they have. We recommend talking to your provider about setting up a schedule to be tested.
Who Should I Use for Compliance Monitoring?
- Use your in-house team as usual. Outsource the vulnerability scans and their repairs to a third-party company. Get clear buy-in from your internal teams so that they understand this is to supplement and support their activities, not to take their jobs.
- Find a company that can provide fully managed services that also provides vulnerability scans if you’re looking to switch providers.
Not sure where you fall on the regulatory compliance responsibilities list? Take our questionnaire to find out.