MSSPs know that the protection provided by even their most powerful and comprehensive security solutions can be quickly undermined by careless or negligent behavior of their clients. Educating IT and end-users has always been a core component of an effective security strategy and with today’s sophisticated and rapidly morphing cyberattacks. The need for end-users to be more threat-aware and “threat-savvy” has become very important.
Most data breaches that we hear about occur due to the bad guys being able to take advantage of employees who don’t know policy, aren’t security aware enough to think “oh this is a moment when I should be following policy,” aren’t clued in enough to report suspicious activity, or don’t understand why they should care about their company’s security well-being. Most organizations have mandated their employees to strictly follow the company’s security practices. In fact, the number of people who have been let go, purely based on adherence to security guidelines has been growing rapidly.
MSSPs need the customers’ end-users as their allies, to keep them safe. As regulatory requirements relating to data security issues become increasingly rigorous and complex, MSSPs are expected to leverage their expertise and guidance by developing practices that help ensure their clients’ compliance.
While organizations may resent the bureaucratic red tape and time-consuming tasks that are often needed to satisfy governmental and industry regulations, MSSPs can allay that resentment by showing their clients how conforming to security-related regulatory requirements can result in significantly improved protection for their organizations.
The U.S. cybersecurity regulations for seven different industry sectors:
- Financial: The financial sector has several cybersecurity requirements set by federal and state regulators. The most common set of requirements is found in the Federal Financial Institution Examination Council handbook, or FFIEC-IT. That body is comprised of many booklets that contain resources and requirements financial institutions are expected to adhere to. There are also a number of different guidelines that financial regulatory bodies put out.
- Retail: The retail sector isn’t federally regulated, but it does follow regulations from the Payment Card Industry Security Council’s Data Security Standard (PCI DSS). This group issues security standards that any organization that processes payment cards or holds payment card data is required to follow.
- Healthcare: The best-known standard for cybersecurity compliance health care is the Health Insurance Portability and Accountability Act. HIPAA establishes cybersecurity standards for health care organizations, insurers, and the third-party service providers medical organizations do business with.
- Consumer Data: Currently, 47 out of 50 states (and the District of Columbia) have enacted cybersecurity compliance requirements for organizations to notify states about security breaches that compromise customer data. The Federal Trade Commission (FTC) can also penalize organizations for failing to adequately protect consumer data.
- Defense: As a condition of providing a service to the U.S. Department of Defense (DoD), businesses must meet cyber requirements set up in the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI).
- Insurance: While regulations for insurance departments and companies vary state by state, many have issued requirements to protect consumer information.
- Energy: The Federal Energy Regulatory Commission (FERC) has the authority to establish cybersecurity regulations over a number of electric utility companies and operators.
In Europe, the upcoming May 2018 implementation of the EU’s General Data Protection Regulation (GDPR) will bring a modernized process (the first in almost two decades) for protecting customer data—and GDPR will impose a significant penalty equaling four percent of an organization’s global revenue if it doesn’t comply with the GDPR’s rules and regulations.
With so many regulatory requirements to contend with, it’s no surprise that demand for Security Awareness Training services is rapidly growing, and the customers are expecting that the Managed Security providers complete their service offering with additional services of regular assessments, application testing, education and training, simulation tests, compliance testing and auditing, consulting/advisory, and more.