Compliance regulations provide organizations with acceptable standards for developing strong cybersecurity programs. Compliance is an important tenet underlying the development and maintenance of information security programs. Different regulations have emerged over the years to address increasing security challenges.
Today, cyber actors are relentless in innovating new security risks, malware, trojans, and programs for compromising organizational security. Also, emerging technologies have always brought along unprecedented security risks. For example, the use of virtual currencies like Bitcoins, Monero, Ethereum, etc., have caused crypto-jacking attacks to rise, edging out attacks like ransomware attacks, which have been dominant for years.
It is, therefore, vital for organizations to understand the current and the future of cybersecurity and how they can best protect themselves from emerging threats. A primary response has been the establishment of international and local regulatory bodies to develop security standards to enable companies to harden their security postures.
A common feature of compliance is that regulations, standards, policies, and legislations are directly influenced by evolving cybersecurity environments. Many organizations thus find it a challenge to maintain acceptable compliance postures.
Current Compliance Regulations
Compliance regulations provide organizations with directives for safeguarding their data and IT systems, and for addressing existing privacy and security concerns. Also, compliance regulations ensure that companies fulfill their obligations to prevent accidental breaches and attacks caused by negligence or the implementation of insufficient security programs.
Most regulations compel organizations to secure their systems through implementing a variety of basic security measures such as firewalls, adequate risk assessments, data encryption technologies, and training employees on secure use and handling of sensitive information.
Whereas some regulations are voluntary, others are mandatory. Consequently, organizations should demonstrate they not only understand them, but they also implement and maintain them accordingly. They should, at any time, produce evidence they are compliant.
Benefits of Compliance Regulations
- Business opportunities: compliance regulations are meant to enable companies to secure their systems and observe best practices for protecting data. Potential customers often incline towards businesses that fully comply with existing laws.
- Reduced risk: the guidelines and recommendations provided in compliance regulations allows companies to reduce cyber threats as they are tested and accepted internationally.
- Avoiding fines and penalties: most compliance regulations are mandatory, and non-compliance leads to hefty penalties. Some, such as the GDPR, may fine organizations millions of dollars. Complying protects a business from such fines, and this is an advantage as far as its finances are concerned.
- The rule of law: compliance regulations ensure that all businesses abide by the same rules. Compliance levels the field as enterprises can adopt equal security measures and be assured of adequate security.
- Increased efficiency and improved economies of scale: compliance regulations are developed to provide businesses with cost-friendly yet effective security practices. At minimal costs, a business can deploy working security solutions and enjoy the same protection as a fortune 100 company.
Existing Compliance Regulations and Requirements
- HIPAA
HIPAA (Health Insurance Portability and Accountability Act) is a regulation for securing the health data in organizations across all industries. Organizations often collect and store health data of their employees while healthcare institutions interact with patient data daily. Health information is highly sensitive and not subject to disclosure to unauthorized parties. As such, protective measures for securing it must be implemented.
HIPAA compliance regulation contains a set of requirements that each organization must demonstrate a full understanding. HIPAA also requires businesses to implement training programs to equip employees with security and awareness skills. Training staff ensures they are aware of their security responsibilities when accessing information systems that house sensitive health data.
Also, HIPAA requires companies to develop and maintain processes for detecting and preventing instances of security violations. Also, to be HIPAA compliant, an organization should, at all times, conduct risk analysis and assessments to identify security vulnerabilities in their systems.
Implementing steps for managing and reducing identified risks should follow to ascertain information systems and infrastructures are no longer at risk. More so, HIPAA dictates that organizations should create sanction policies for dealing with non-compliant staff members.
- FISMA
The Federal Information Systems Management Act (FISMA) was developed to enable federal agencies to secure their information systems. The regulation applies to all partners or contractors that conduct any business with the federal agencies.
The main focus of FISMA regulation is to enable federal agencies to develop awareness and security training programs. The training programs aim to ensure that all users interacting with federal information systems are aware of the security guidelines and practices to adhere to. FISMA requires personnel working either in federal agencies or with the agencies, i.e., contractors, business partners, etc., to participate in the training programs to understand underlying security guidelines and procedures.
Anyone accessing information or the federal information systems information must prove to have completed the training course and fully understands the course material. The personnel must also demonstrate an ability to put into practice the acquired skills and competently apply best practices to secure federal information.
- PCI-DSS
Payment Card Industry Data Security Standard (PCI-DSS) is a compliance regulation designed for organizations that deal with credit cards. The compliance standard provides businesses with security guidelines to implement to secure a customer’s financial information.
PCI-DSS impacts businesses that process credit cards which require owners to input sensitive information in online platforms such as eCommerce websites. As a result, there is always a risk that cybercriminals may compromise such platforms, thus providing them with access to sensitive information. PCI-DSS compliant organizations have to implement all the security measures recommended to safeguard such client information.
Some of the requirements of the standard include installing firewalls and configuring them to ensure a business protects the data and information of the cardholder. Also, PCI-DSS guides an organization on how to reset the default security parameters and system passwords of vendor-supplied systems. This is to ensure that new passwords are hard to crack and the security parameters are configured to meet the security needs of the organization.
Also, PCI-DSS regulation tasks organizations with the responsibilities of implementing security measures for encrypting card information relayed over public and insecure networks. Other requirements include adopting access control strategies to restrict unauthorized access to card information and regularly testing the security of systems and processes.
- GDPR
General Data Protection Regulation (GDPR) has become immensely popular since it was implemented in 2018. The regulation requires organizations to implement sufficient security protocols for securing personally identifiable information belonging to individuals from European Union zones.
GDPR provision applies to all organizations in the world as long as they handle and process data belonging to an EU citizen. The regulation has compelled many organizations to comply to avoid the hefty fines that come along with non-compliance. Additionally, a company can be fined if insufficient security processes cause a data breach leading to loss or disclosure of personally identifiable information. Google was fined €44 million due to using user data to promote ads.[1]
GDPR requires companies to notify data owners of any intent of using their data for any reason. An organization must obtain the explicit consent of the data owner or risk being fined heavily. Also, GDPR encourages businesses to implement and maintain mechanisms for securing personal data. These include encryption, password protection, and access control measures. The regulation contains other requirements that purpose to boost data security.
- NIST 800-53
The NIST (National Institute of Standards and Technology) publication 800-53 provides federal agencies with guidelines for securing their information systems. Additionally, organizations in the private sector use the same guidelines to harden their cyber defenses. The NIST 800-53 framework provides federal agencies and respective contractors with guidelines they can implement to ensure they comply with FISMA compliance regulations.
The guidelines comprise of various controls which can aid in developing secure information systems that are resilient to cyber-attacks. Some of the proposed measures include the management, technical, and operational safeguards which, when implemented, can preserve the availability, confidentiality, and integrity of information and information management systems.
Besides, NIST 800-53 provides security guidelines based on the security control baseline concept. The concept applies to identifying controls that meet the security needs of an organization. The baselines provide federal agencies and private organizations with considerations such as functional and operational needs, which also include common threats to organizational information systems.
The NIST regulation further observes a tailoring process in which an organization can use to identify the controls that provide security according to the requirements of their information systems. Some of the security controls recommended in the compliance regulation include access control, awareness and training, audit and accountability, configuration management, contingency planning, incident response, personnel security, identification and authentication, and system and communications protection.
Balancing Compliance Regulations and Cybersecurity
Compliance regulations play an integral role in fostering cybersecurity. However, as witnessed with the recent enactment of GDPR (General Data Protection Regulation), many businesses have channeled resources and time in complying with the regulation rather than focusing on proper security guidelines. What’s worse, most regulations become outdated quickly, meaning that organizations will always struggle to be compliant with new standards and regulations.
It is also important to note that cybercriminals have access to the regulations. They will always find a way to work around them to compromise the security guidelines contained in the guidelines. Essentially, companies exhaust finances, human resources, and time on compliance regulations with inherent vulnerabilities instead of focusing on fool-proof cyber defenses.
But what can be done to address such issues in compliance regulations? Well, businesses have the responsibility of investing in the latest defensive trends to counter new threats and attacks. Maintaining multiple regulations to remain compliant without addressing cybersecurity defense can be detrimental to their security. To balance the two areas, that regulations and security, companies should invest in technologies that can achieve both purposes.
An ideal example of an approach that can be explored to resolve this issue is artificial intelligence. AI systems are often used to understand vast quantities of information such as those contained in multiple regulatory compliances. Depending on the security needs of a company, this technology can ensure that it is always compliant with existing and emerging regulations. At the same time, AI has proved useful in developing cybersecurity tools like antivirus solutions and intelligent firewalls and intrusion prevention and detection systems. AI not only allows a company to kill two birds with one stone, but it also provides solutions to other challenges. Such include reducing the cost and labor needed to achieve full compliance and strong cybersecurity.
The Future of Cybersecurity
Recent cyberattacks have resulted in large-scale damages and widespread destruction. In 2017, WannaCry, one of the most significant ransomware attacks to date, hit many countries around the globe. United Kingdom’s National Health was the most affected as the attack crippled healthcare services across major healthcare facilities for close to a week. NotPetya ransomware attack followed in the same period. The incident targeted power and energy companies in Ukraine and oil companies in Russia, causing huge losses and damages.
Such attacks demonstrate why researchers and governments are continuously working towards realizing better defensive strategies to stay a step ahead. However, although a lot is being done to provide working mitigations to rampant cybercrimes, the cyber threat environment will keep changing as new technologies emerge. These will be leveraged in both fighting cybercrimes and in developing more sophisticated attacking patterns.
The entry of 5G Network
Many countries are set to roll out 5G network connectivity and infrastructure convergence. Top among them include South Korea, China, and the United States. Huawei has already released smart TVs in Chinese markets that use 5G networks. Whereas the new network contains many benefits, most of which rely on its super-fast speed, 5G networks are poised to have the biggest challenges in cybersecurity landscapes. 5G networks not only provide faster internet speeds, but they are designed to connect billions of new devices every year in the future.
The devices will utilize the internet to run critical infrastructure and applications using internet speeds that are at least 1000 times faster compared to current internet speeds.[2] As a result, new architectures will emerge, and they will be used to connect whole geographic locations and communities, industries, and critical infrastructures. At the same time, the 5G networks will significantly alter cyber threat landscapes. Most of the attacks perpetrated today are financially motivated but without causing real and physical damages to infrastructures or locations.
With 5G networks, cyber-attacks might cause severe physical destruction that might destabilize a country’s economy or cause wanton loss of life. Worse still, such attacks will be executed using the same quick 5G speeds, such that it will almost be impossible to detect and prevent them before they occur.
Moreover, 5G networks will enable cyber adversaries to discover vulnerabilities and exploit them to execute attacks instantly. Now, despite this being similar to the techniques used today, the main difference is that entire enterprise, critical infrastructures such as road networks for autonomous and self-driving vehicles, and other infrastructures needed to run a smart city will be connected. The destruction that such attacks will cause if successful can only be imagined. Some examples of such attacks are already happening today.
For instance, the Department of Homeland Security hacked into the systems of a Boeing 787 passenger aircraft in 2016. The plane was parked in Atlantic City, and the hack was done remotely without relying on insider help. Also, a ransomware attack targeting the City of Baltimore locked out over 10000 employees from their workstations.[3] Such attacks might not have caused any destruction on the victims. That would, however, not be the case had they locked out 10000 self-driving cars from accessing critical infrastructure systems. They would be unable to communicate with each other and from accessing navigational systems, meaning that they would cause massive accidents or massive traffic congestions.
In the coming future, 5G networks will lead to the development of smart cities and infrastructures. These will result in an emergence of interconnected critical systems at an entirely new scale, including automated waste and water systems, driverless vehicles depending on intelligent transport systems, automated emergency services, and workers. They will all interdepend on each other.
As much as these 5G enabled solutions will be highly connected, they will likely to be highly vulnerable. During the 2017 WannaCry attack, the ransomware took several days for it to spread globally. 5G networks will enable such networks to spread at a speed of light. 5G networks will revolutionize the world immensely but also potentially drive cybercrimes to real-world scenarios, resulting in consequences yet to be known.
Artificial Intelligence
The need for developing real-time detection and preventive measures, especially with the adoption of 5G networks, cannot be underscored. Artificial intelligence technologies provide crucial components required for the world to realize a global immunity and security as far as cyber-attacks are concerned. Artificial intelligence is already being used to innovate and develop cybersecurity solutions that can operate at a pace and scale that can secure digital prosperity in the future. AI-powered security solutions will be leveraged to achieve top-notch efficiencies in detecting and responding to cyber-attacks, provide real-time mitigation measures to cyber threats and instant situational awareness, and automate processes for risk assessments, threat detection, and mitigation, and so on.
However, many reports today indicate that cybercriminal communities are seizing and exploiting artificial intelligence security solutions as soon as they are developed. This poses new challenges in the race for developing working solutions to global cyber threat landscapes. Cyber actors using artificial intelligence to execute different crimes might instantly bypass industrial technical controls developed over several decades. For example, in the financial industry, criminals may soon develop intelligent malware programs capable of capturing and exploiting voice synthesis solutions. This will allow the mimicking of the human behavior captured in biometric data such that criminals can bypass the implemented authentication procedures for securing individual bank accounts.
Besides, using artificial intelligence for criminal activities will most likely lead to the emergence of new breeds of cyber-attacks and attack cycles. Malicious actors will target and deploy such breaches where they will cause the highest impacts, and using means which industries across the divide never thought would be possible. To mention just a few, artificially intelligent attacks might be used in biotech industries to steal or manipulate DNA codes. They might also be used to destabilize the mobility of unmanned vehicles, and in healthcare systems, where smart ransomware programs will be timed to execute when systems are most vulnerable, thus causing the highest impact.
Biometric Security
Combating the emerging cybersecurity trends will most likely cause biometrics to be among the most used strategies for security. Currently, biometrics are playing a central role in securing devices like laptops and smartphones, or for physical security where iris and fingerprint scans are used to secure sensitive and classified areas.
Biometrics will continue being used in the future to develop next-generation authentication mechanisms. Adopting such measures will necessitate the acquisition of enormous data volumes of individuals and their activities. Fingerprint, iris scans, and voice recognition security will not be adequate, and biometrics will include other details such as body movement and walking styles. This will only cause cybercriminals to, however, target new generation biometrics data. Rather than focusing on targeting data like personally identifiable information, including contact details, social security numbers, or official names, attacks will focus on acquiring data used in biometrics security.
What Next? New Measures and Compliance Regulations
So, the main question is what’s next for cybersecurity in the future? First, it is essential to note that cybercriminals have been executing low-risk attacks where there are high-rewards and minimal or zero attribution. This has caused organizations to mostly depend on traditional responses as most have provided practical solutions so far. In the coming years, emerging and transformative technologies will significantly alter the cyber threat landscapes.
Understanding how to best secure against the expected rise of new generation cyber-attacks and threats will first require we understand the extents to which cyber landscapes will change and the transformation of risk environments. Such an urgent and critical analysis can only be accomplished through persistent research for evidence-backed results. The expertise which security professionals, academic giants, and policy makers possess will be integral to developing exceptional measures for curbing future cybercrime activities.
Ultimately, new compliance regulations are necessary as a result of the changing cybersecurity landscape. At the same time, the responsibility for complying will increase as a result of the new laws and regulations as well as user demands and public opinion. Organizations will remain challenged to incorporate the new requirements into their business processes, including their communications, employees, tools, and infrastructure.