Is being secure and being compliant the same thing?
Often times, when I ask a ConnectWise partner if they’re offering security to their SMB customers, their answer revolves around consulting on compliance. Verticals like healthcare, financial, government, and retail are low-hanging fruit for security revenue opportunities because compliance is a requirement of being in business.
However, being secure and being compliant are NOT the same. Did you know that you can be compliant without being fully secure? While being compliant increases data protection and keeps organizations from paying hefty fines, it’s simply not enough. If that’s what you’re relying on to keep you and your customers safe, you’d be sorely mistaken.
Being compliant is like following a strict nutritionist-approved diet to stay healthy.
While that's a good practice, and it will certainly help, it’s also very important that you know your family's medical history and how that could impact your health in the future (your risks) so you can make necessary, and maybe even lifesaving decisions. If you ignored your risks and only stuck to a good diet, you might be blindsided at a doctor’s appointment to learn that you have a certain hereditary disease.
“If we had only caught this sooner…”
Many MSPs are approaching security when an incident occurs, while others are being proactive to meet their customer’s compliance requirements. They're not thinking of the broader picture of risk. You need to fully understand your risks to ensure that you and your customers are secure. Don’t wait until disaster strikes.
Let’s dive into the differences between the two phrases.
What does it mean to be compliant? Is that enough?
Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure they are aware of and take steps to comply with relevant laws, policies, and regulations, such as PCI, HIPAA, GDPR, and DFARS.
We’ve heard of several companies making news headlines regarding security breaches. The court will determine if there was negligence in adhering to regulations and taking the proper legally required steps to protect their data properly. If the company is found not to be compliant, there are heavy financial consequences.
How much are we talking? Yahoo’s loss of 3 billion user accounts cost them an estimated $350 million off their sales price.
Needless to say, there’s a big incentive for companies to cover the basics when it comes to security. However, if you stop at just being compliant, you’re essentially only doing the bare minimum, whatever is legally required.
It’s a starting point.
The next step is to ensure security. Go above and beyond.
According to Cisco, “Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.”
When hackers attack your business, it’s not just your business that’s at stake. By getting access to your database, hackers gain access to all your customers. So, we could consider ensuring cybersecurity as a social responsibility (not just a legal one).
We believe in doing business this way, going above and beyond, and have adopted the NIST Cybersecurity Framework. It consists of standards, guidelines, and best practices to manage cybersecurity-related risks as an ongoing practice.
As leaders in the IT industry, we’re all constantly looking to others who are doing things well and subscribe to best practices in several other areas of business. Cybersecurity is no different.
The framework encourages identifying your risks proactively, so you can take the necessary steps in reducing and managing your risks.
How to assess risks
We know what you’re thinking, “Easier said than done, though, right? Just another thing to add to my to-do list.”
This process doesn’t have to be overwhelming. Knowing where to start is half the battle. Smart security offerings start with a risk assessment that allows you to proactively identify security risks across your entire business as well as your customers, not just on their network. The result is an easy-to-understand, customized risk report showing your customer their most critical risks and recommendations for how to remediate those risks.
The bottom line: be compliant AND secure. Start by understanding your legal compliance responsibilities to protect yourself and your customers during a disaster. Then, take it a step further—assess and fully understand your security risks and develop a plan to reduce your risks.