PCI-DSS: What Is It And How Does It Work?

In my last blog, I noted that I would be posting installments in a series about information security compliance protocols.  The first protocol is a written technical standard and compliance program that applies to any company, regardless of size, that stores, processes and transmits credit card holder data.  Cardholder data includes the primary account number (PAN), cardholder name, expiration date or service code (3-4digit security code).  I’m referring to the PCI-DSS or the Payment Card Industry Data Security Standard.

What

The Standard was devised and founded by five credit card companies – AMEX, Discover, JCB, MC and Visa.  These five companies make up the SSI (Security Standards) Council.  They created the Standard to inform merchants, acquiring banks (the banks that process the credit card information) and other service providers how to protect cardholder data.  This is why the PCI-DSS is considered a security compliance protocol.  It’s because businesses must maintain an information security program to comply with the Standard to protect cardholder data from cyber criminals.

What I mean by information security is how your business electronically or through your information technology (IT) system, protects data from breaches.  Your information security can be as elaborate as servers maintained at data centers around the world, or as basic as a router and its included firewall.  The point is that if you are processing, storing or transmitting credit card holder data, your security has to at a minimum be PCI-compliant.

The Standard came out in 2006 and has been revised a few times since then.  The last revision was in 2018.  Companies affected by the Standard typically have 18 months in which to comply with the revisions.  The Standard contains 12 security requirements with 280-sub-requirements.   There are also test procedures included in the Standard which gives businesses direction as to how to test their security infrastructure.

Briefly, the following are the 12 security requirements:

  1. Maintain firewalls to protect your network and other networks.
  2. Remove all default configurations and passwords.
  3. Protect any stored cardholder data you have.
  4. Encrypt transmissions of cardholder data over public networks.
  5. Ensure you have, maintain, use and implement anti-malware and antivirus solutions.
  6. Use and maintain secure applications and operating systems and write secure
  7. Restrict access to cardholder data to people who really need to see it and implement a user privilege policy.
  8. Identify and authenticate all users individually.
  9. Protect physical locations where cardholder data resides.
  10. Log and monitor access to systems.
  11. Test security on a regular basis to prove all the requirements or controls are actually
  12. Create, maintain and implement policies and procedures that your users know and

Now, before you start thinking – “12 security requirements with 280 sub-requirements?  I’m a small business how can I meet all those requirements and comply with this Standard?”  If you take a look at the 12 security requirements, they are minimal components of any information security program.  But more importantly, the volume of credit card transactions your business conducts in a year, dictates how exactly you have to comply.  For example, for businesses that transact 20,000 card holder transactions in a year, or less, only have to supply responses to the Self-Assessment Questionnaire annually.  However, as will be discussed, your business would benefit by doing more.

Is the Standard Legal?

Before I explain how compliance with the standard works, it’s important to know that the Standard is not a regulation or legally required.  It’s a contractual requirement.  What I mean is that the credit card companies contract with processing banks to manage their card holders’ information and how to process /protect the information.  The acquiring banks in turn have contracts with the merchants as to how to manage the credit card holder data.  Then, the merchants have contracts with the service providers to protect the cardholder data.  At a minimum, merchants should communicate to their service providers about their responsibility for the credit card holder data.  If a merchant has closely read the contract, they know they are agreeing to comply with the PCI standard and failure to comply results in legal action.

How to Comply

One of the ways cybercriminals cause a data breach is through Point-of-Sale (POS) terminals.  A POS terminal is the credit card machine at a merchant’s store used to buy goods.  Another POS is at gas stations.  You know, swiping/inserting your card at the pump.  POS terminals are common ways that cybercriminals breach data.  You’ve heard it in the news.  Remember Target in 2018?  They experienced a POS breach when 110 million customers’ credit card data were stolen.

An Example of a Breach

In this regard, the standard’s security requirements strive to prevent these types of breaches.  The Standard’s compliance obligations require merchants to annually validate that their information security complies with the 12 security requirements and the 280 sub-requirements.   In most circumstances, if a business suffers a breach to cardholder data, and can show that it did all it could to comply with the Standard, but was a victim of an unfortunate circumstance, the credit card companies will be more lenient. However, if a merchant’s card holder data was breached for failing to comply with a specific security requirement in the Standard, that merchant will most likely suffer serious fines, intrusions in their business operations and possibly face legal action.

For example, another avenue where cyber criminals can hack cardholder data is through a merchant’s information security infrastructure.  What I mean by that is your network.  Remember, your network can consist of several servers or a small business router and firewall.  As you know, your router/firewall comes with a default password to activate the router.  In turn, a password is necessary to access your network.  If you fail to change the default password to something more intricate, this is a violation of the Standard and you would be non-compliant.  Specifically, one of the 12 security requirements are to “Remove all default configurations and passwords.”  If you failed to change the default password, and this failure resulted in opening the door to a hacker, this would be a direct violation of the Standard and you and your business would suffer repercussions.  However, let’s say that you followed the Standard and did use a strong and intricate password and had a formidable firewall, but the breach still occurred, the credit card companies may be more lenient with you.  You, of course, would have to report the breach immediately and allow the investigators to access your business security infrastructure.

Fines for non-compliance with the PCI-DSS is $5,000-$10,000 a month, until the business gets compliant.  This doesn’t include any breach of contract claim.  But worse, you could lose the relationship with the credit card companies, the processing bank and your service providers.  This could be catastrophic for any small business.

Conclusion 

Complying with the Standard is no joke!  As noted above, your non-compliance can have drastic consequences.  There are some workable and mitigating items that you can do to minimize the possibility of a breach:

  1. Don’t be relaxed about your security!
  2. Take the time to know your security environment!
  3. Try to create layers of protection.
  4. Test your security regularly, and more than one-time a year!

Finally, for those of you who use PayPal or other financial services like PayPal, or use mobile card readers, you would still have some responsibility to comply with the Standard.

Remember, compliance is attainable and necessary to protect your business operations and profits.

We wish you “Infinite Success!”

Information Security: Regulatory Requirements for Compliant Information Security Management

An area that I’m passionate about is information security compliance.   As a compliance professional with a focus on cybersecurity risk management, it is my role to help companies understand the importance of abiding by the handful of important regulations and standards that manage information security risks.

Applicable information security regulations may vary by industry, but some of the most notable standards and rules include:  HIPPA, NIST, SOX, GDPR, ISO 27001 and PCI-DSS.  Many companies’, information technology functions fall under the rubric of one or possibly more of these regulations and standards.  My goal is to inform small businesses of these requirements and what they can do to comply.

Therefore, over the coming weeks, I will be posting installments discussing the specific requirements of these rules and standards, and providing my professional suggestions on how and why small businesses must comply.  Included in these posts will be analyses of the repercussions for non-compliance and examples of non-compliant companies in the news.

 

What’s A Reasonable And Achievable Standard For Corporate Compliance? The 80-20 Rule, 100% Compliance, Or Strict Compliance.

Once upon a time, I was a young and naïve compliance attorney with the hope that through my intellect and winning personality, I could get everyone to want to comply with company and legal standards.  After years in the industry however, I’m a lot more practical now and realistic.  But that doesn’t mean I don’t strive for the best compliance percentages, it just means that I’ve had to work hard to encourage and achieve compliance.  I had to decide what is an acceptable threshold for compliance – the 80-20 Rule, 100% compliance or strict compliance.  Here’s what I came up with:

  1. 80-20 Rule

In my article, What to Do if Corporate Leadership Doesn’t Comply . . . Lessons Learned, I discussed a work encounter where I was told the best expectation for company compliance is the 80-20 Rule.  For those of you who don’t know about the 80-20 Rule, it’s a Principle promulgated by Vilfredo Pareto which essentially determined that 20% of our actions creates 80% of the desired results.  So, focus on the most important 20% aspects of an issue and in most cases that 20% will result in 80% of a goal.  Interesting.  When General Counsel told me to implement the 80-20 Rule, I thought it meant that compliance should strive for 80% compliance accepting that 20% would be non-compliant.  I misunderstood. Now that I know, how can I apply the Pareto Principle, 80-20 Rule, to compliance achievement?

  1. 100% Compliance

I worked for a small contractor who brought me on board to do a risk assessment on contract performance.  He claimed that he expected 100% compliance.  When he told me that I was thrilled!  Finally, a Sr. Exec who believes in the benefits of compliance!  However, much to my dismay, I quickly realized he wanted 100% compliance without having to implement internal controls and processes.  The experience did get me thinking – Can a company realistically achieve 100% compliance?  Definitely not at this company, but what about others?

  1. Strict Compliance

When I realized the small contractor could not and would not achieve 100% compliance, I had to determine a new threshold for compliance success.  What was achievable here at this company and what was acceptable?  With support by one of the VPs, I came up with a new standard – Strict Compliance.  I think I came up with the term – strict, from case law decided by the U.S. Supreme Court, wherein the Court decided that parties needed to abide by the “strict letter of the law.”  Now, I can’t remember the case of course, but as a law student, that statement impressed me.  So, I used it here.  In another area strict compliance comes into play is in the finance world and letters of credit.  When claiming payment under a letter of credit, the seller/exporter/beneficiary has to present documentation to the bank that strictly complies with the letter of credit requirements.  A seller won’t be paid under the Strict Compliance standard unless his documents, on their face, strictly comply with the letter of credit.

So, how does this all apply to an achievable and reasonable compliance standard?  Well, under the 80-20 Rule, I analyzed what actions could I take as a compliance professional to derive the most desired goals or results.  I looked at what was the most important actions I needed to take (training, better communication, visibility) and found that 20% of those actions that I could implement would achieve 80% compliance.  It worked.  In terms of 100% compliance, I couldn’t find a company that advertises that it achieves 100% compliance, probably because in law, regulations can be moving targets.  Regulations are subject to change, and unless a company has a strong compliance program, it could quickly be non-compliant if the changes aren’t known beforehand.  A company can strive for 100% compliance however, by implementing the following: C-Suite encouraging and leading by example a culture of compliance; maintaining regular compliance trainings, that include the C-Suite; providing ample resources to support and improve the compliance program, and rewarding and recognizing employees who make business decisions that are consistent with a company’s compliance program.  Under strict compliance, in order to be successful, a company would have to comply with the substantial and essential requirements of policies, procedures and the law, even if that excludes some of the company’s obligations.

In sum, I believe the compliance standard is reasonable and achievable by using all or one of these three standards.  I believe that if a company can show that it established one of these thresholds, and is able to succinctly substantiate the efforts it takes to achieve that threshold, while proving its successes, regulators would be more amenable to accept that company’s intent and commitment to comply.

 

Can a Small Business Be Prepared for Everything? A True Story.

As a compliance and risk management professional I am irrefutably passionate and excited about compliance and helping businesses comply with their legal obligations (rules, regulations, contract T&Cs, etc.).  As such, I wanted to tell you a true story about what a business woman told me that happened to her business, and lessons learned.

Compliance Story

I met Kim at a conference a couple months ago.  We exchanged pleasantries and talked about where we worked, what we did (professionally) and how things were going.

When I told Kim, I was a risk management and compliance consultant, she became indignant and said – “Ha!  Risk Management!  What a farce!  Businesses can’t prepare for every risk nor can they prevent it from happening.  I know from experience!”

Apparently, Kim and her partner had recently purchased a small IT business.  She told me that the prior CEO had run the company into the ground and mismanaged the company.  Kim and her partner bought the company because they wanted to enter the IT industry that is experiencing dramatic growth in the area and they wanted to start a second career.  Knowing that the company had been mismanaged, they assumed the risk of the existing and potential problems that came with the company.

Shortly after they purchased the company, two of the key IT engineers quit without notice and bad-mouthed the company and management to customers saying, among other things, that the employees were mistreated.  Employees had not been given raises or bonuses for years.  They blasphemed the company to customers, vendors, and other employees.  The result was that Kim’s company lost customers, good customers, and the Company lost revenue.  To make matters worse, more employees left the Company putting Kim and her partner in peril because without the much-needed manpower, who would service the remaining customer accounts?  It took Kim months to regain customer and employee trust.  It took more than a year for Kim’s new IT business to recover the profits it lost from this unfortunate situation.  After this experience, Kim believes it wasn’t their fault as new business owners and blamed the previous management.  Kim believes there was nothing they could have done to prevent this incident from happening.  I respectfully disagree.

Lessons Learned:

It is possible a situation like this could have been prevented if Kim and her partner did a risk analysis of the business operations associated with the purchase of the company.  Buying a company with known management problems screams of business risk.  Kim could have taken the following practical steps:

  1. Take a deep look into the company financials and determine which are the higher valued customer accounts and ensure their accounts are given optimum customer service.
  2. Do a deep dive into the company’s operations and identify any weaknesses or potential risks in the various departments.  In Kim’s situation, knowing that staff had not received raises or bonuses in five years should have given her the insight to look into the HR department.
  3. Had Kim and her partner done #2 above, they could have met with the employees, encouraged them of the new and improved changes the new management was implementing and offer them something of value to motivate them to stay.
  4. Kim and her partner should have Immediately put into place employee confidentiality agreements.  Had they done so, Kim could have made a claim against the disgruntled engineers who left.  In this regard, Kim would make a legal claim against the engineers for breach of the confidentiality agreement for bad-mouthing the company, and possibly recover damages but certainly cease and desist the engineers’ actions.

Kim suffered an unfortunate situation, but in my professional opinion, much of this could have been avoided by doing a simple risk analysis before or shortly after purchasing the company.  Risk analyses and risk assessments help companies identify various risks and find ways to mitigate them before bad happens.  Yes, it’s possible that bad could still happen, but a well-informed company can put into place measures to minimize damage while continuing to maintain its operations.

There’s more that Kim could have done.  If you’d like to know what, how, or discuss the benefits of a risk analysis or risk management in general, and how it can help your company, don’t hesitate to reach me at the info below.

We wish you INFINITE SUCCESS!

Thinking Out Loud About the Role of Counsel and Smart Contracts in the Blockchain.

So, obviously, I have to discuss compliance and risk in the modernized world of information such as contracts, or in the case of blockchain – smart contracts.  I believe in innovation: innovating processes, procedures and services.  I think the blockchain innovates in a manner that threatens how compliance professionals and  attorneys traditionally think.  As an attorney, I am challenged by the use and acceptance of smart contracts in the blockchain.  It’s the modernized method of contracts formation and negotiation.

If you’re reading this blog, it’s probably because you are interested in compliance or some sort of risk management.  Perhaps you already know about blockchain (you know – think bitcoin and crypto currency.) In short and in the simplest of terms, blockchain is the technological method or process to join records of information or “blocks” together in a chain.  The “chain” is a string of records.  The blocks are always authentic because the records can never be manipulated, only changed by the network of participants by adding new records.  The records, are protected by strong encryption.  Hacking is minimally successful and the blockchain has proven that, with some limitations, it can be an extraordinary tool to buy and sell goods or services, transfer money and . . . contract.  There are so many other intricacies to the block chain, but for purposes of this blog, that’s all you really need to know.

Okay, smart contracts.  They’ve actually been around for years.  Apparently, in 1994, this legal scholar and cryptographer, Nick Szabo, determined a blockchain could be used to self-execute digital contracts – smart contracts.  Essentially, the way I understand it, a smart contract is merely computer speak or code that writes terms and conditions, and that facilitates or enforces action between parties to the smart contract.   But don’t think of those terms in legalese, but in a scripting language like Javascript or Solidity.  As an attorney, I have negotiated, and drafted contracts, and I’m pretty good at it.   But those skills will only get me so far because you need to be a computer programmer in order to write the logical programming language to develop a smart contract in blockchain.  However, the contracts are similar because they both contain terms and conditions that trigger action by one, both or all of the contracted parties.  Key differences in traditional and smart contracts, is that doing business with smart contracts, saves time, money and eliminates the need for a middleman – the attorney.  Some programmers believe that smart contracts will eliminate the need for attorneys.  While I agree that smart contracting may be faster and cheaper, we have to question the legal risks with that.  Attorneys provide the legal education/experience, negotiating skills and subject matter expertise that smart contracts and programmers don’t.

For example, I’m perplexed how a commercial construction contract (federal, sub or prime) can be successfully negotiated and executed via a smart contract.  There are a host of legal issues like safety, liability and insurance that affect a construction contract, for which a well-experienced and reputable attorney can decipher and negotiate for her client.  What about purchase and sales agreements in a merger & acquisition deal?  I can’t see how smart contracts can manage complex commercial transactions, without the usefulness of the legal mind.   Another example, aside from commercial transactions, is family law.  Adoptions, and divorce settlements.  There’s a host of privacy risks in adoptions and how do you measure performance in a divorce settlement?  Perhaps a cut and dry deal like mortgages or leases could be written in a smart contract, but I think programmers or others who are eager to eliminate the need for legal counsel should get a better understanding of how attorneys can benefit the creation, negotiation and execution of smart contracts.  Perhaps the better arguments should be . . . how can attorneys improve smart contracts?  How can the legal community and technological community join forces to help parties to a smart contract?   Heck, let’s face it, legal fees are costly and as a Pro Bono attorney, I have witnessed a deserving public go under or unrepresented because of time and money.  How about we come together and make technology work for all of us?  Programmers and attorneys . . . let’s unify!

Vulnerability Scanning Or Pen Testing – What’s A Small Company To Do?

Size doesn’t matter! All businesses should maintain some sort of system or network security to thwart cybersecurity intrusions. That includes small businesses. At a minimum, small businesses should implement fundamental and basic information technology (IT) security tools to protect their IT structures. Why? Because a single hacking incident can shut down a company’s operations and cause it to lose money. Basic and fundamental IT security includes regular vulnerability scanning, but is that enough?

Typically, vulnerability scans are automated, running in the background, scanning devices connected to IT systems for any vulnerabilities. The results are reviewed by internal staff, which, in a small business, may include the business owner. Vulnerabilities include threats to system integrity, confidentiality and authentication. It’s a best practice for any and all devices connected to internal IT systems to be scanned. It’s a simple tool to protect networks and systems. Vulnerability scans run often and provide data on what system vulnerabilities exist. This provides businesses with a baseline to compare what is “normal” and what isn’t. The results make business owners aware of what vulnerabilities exist in their IT security structures. But vulnerability scans are limited because they look for security vulnerabilities in a system or network, but don’t explain how to prevent or fix them. That is the purpose of penetration testing or “pen testing.”

After the completion of a vulnerability scan, pen testing is traditionally the next step. Pen testing assesses potential damages that can result in exploiting the vulnerabilities that were reported from the vulnerability scan. Pen testing consists of an ethical hacker penetrating (hacking) a company’s IT systems to exploit vulnerabilities. An effective pen test will determine the actual chance of a vulnerability being exploited to help business owners mitigate deficiencies.

Okay. Vulnerability scanning and pen testing are good for cybersecurity, but like most businesses, speed to market is a priority and oftentimes treated as a priority over cybersecurity. So, what’s a small business with limited financial and human capital resources to do?

Vulnerability scanning is available in a variety of formats. From cloud solutions to software solutions, from free options to commercial options, vulnerability scan solutions are accessible to small businesses. Pen testing, on the other hand, is conducted by a penetration tester, typically a consultant. Buyer beware; pen testers need to be certified and experienced in pen testing. Project-based pen testing can run approximately $3,000 to $4,000 per project, and if a company changes its IT structure, another pen test will probably be needed. For a contracted pen tester or in-house staff, their salary can run approximately $100,000 annually – clearly cost prohibitive for smaller companies. But there are alternative solutions to expensive pen testing.
New schools of thought posit that pen testing is merely an expensive superficial test into addressing vulnerabilities. Why not use money wiser and smarter?

At the RSA 2018 Conference, Adrian Sanabria, former Director of Research at Savage Security, discussed his company’s solution for “immature clients” to pen testing. He stated that the “immature client” is the client being infected by malware and successful phishing attempts. An immature client is missing the basic fundamentals of a security system, and therefore a pen test is too advanced for their needs. Instead, a client should be asked provoking questions like – Is your information backed up? If you are infected by ransomware, how will you be able to access your data? How long will it take your company to be back online in the event of a cyber intrusion? What are you doing currently to mitigate risk? It’s these issues that should be addressed with clients, not necessarily pen testing. Then help businesses plug the holes.

Sanabria doesn’t believe that the pen test should be “killed,” but instead should be de-emphasized for the immature business, ask relevant questions that will really help them and offer suggestions for automated solutions that mimic pen testing. For example, a small company could release fake malware into their system and see the effects. Additionally, there are mock phishing emails that can be sent to employees (unaware of the mock emails), in order to identify those employees vulnerable to a phishing scam. There’s also a tool called Infection Monkey. Infection Monkey is released into a company’s security structure, attempts to exploit vulnerabilities and reports back the results. Infection Monkey is a free open-source solution, and a viable alternative to small businesses instead of going the traditional pen testing route.

Small businesses aren’t immune to cyber threats. The Federal Communication Commission reported that less-secure small businesses are becoming easier targets to cybercriminals. Not only that, small businesses may have regulatory obligations like PCI and HIPPA that require secure IT systems. With that, all small businesses should really implement basic fundamental protections. Vulnerability scanning and alternatives to pen testing are affordable and effective security protections available to small businesses that offer protection and advance compliance.

Risky Healthy Risk Appetites

No, it’s not a play on words, it’s a real quandary. Can business owners maintain healthy risk appetites while simultaneously achieving their strategic and tactical business goals? If so, how?

In the compliance world, risks are a common dilemma. There are operational risks, reputational risks, financial risks, personnel risks, and more. Most businesses, regardless of size, face one or more of these risks if they want their business to grow. So to some degree, in fact, growing your business requires engaging in some sort of risk(s). I’ve come across some business owners who were more comfortable than others in taking heightened risks. A compliance professional can help business owners or management determine if they have healthy risk appetites, or unhealthy ones. These matter, because sometimes compliance becomes secondary for those unleashed owners or managers who focus on the end game instead of how to “compliantly” get there.

A risk appetite is the level of risk a business owner or manager takes in order to achieve the business objectives. A business owner with a healthy risk appetite includes one who does the right thing when no one is looking . . . in all deals. I define a healthy risk appetite as one that allows business owners to innovate and soar while competing ethically in the market and conscientiously considering their impact on the Company’s assets. (Assets can mean money, personnel, executed business contracts, etc.)

In all the risk assessments that I perform, I pay special attention to identifying the business owner’s risk appetite. Risk assessments, if conducted properly and effectively, reveal unknown risks and cause business owners to analyze their “risky” behaviors and the impact those behaviors have had or will have on the company. I’ve met business owners who care and those who don’t. It’s those unconscientious business owners who simply focus on the endgame. It’s possible that officers or managers experience pressure to meet the strategic and tactical goals. I’ve worked in Silicon Valley where the pressure to perform and meet strategic goals was always intense. But despite these pressures, compliantly getting there cannot and should not be compromised, as the benefits received when remaining compliant are quite significant.

So, how do business owners maintain healthy risk appetites while achieving their strategic and tactical business goals? Is it acceptable for business owners to rely on their gut instead of methodically considering the consequences? Ultimately, risks have to be considered when making business decisions. From my experience, business owners have to be taught about risks, the likely occurrence, the likely impact, the severity of that impact and the corresponding consequence. During a risk assessment, these elements can be measured via both quantitative and qualitative methods. Once business owners are made aware of those elements, they, with the help of the compliance professional, will have to rank their risk tolerance. In every risk assessment I’ve conducted, the business owner walks away with data they never knew. The reality of the most defiant business owner has changed after a well-performed risk assessment.

A healthy risk appetite finds the balance between low ranked risks versus high ranked risks, all the while complying with legal obligations. A risky healthy risk appetite is one where the endgame overshadows the legal obligations, or put simply, not doing the right thing when no one’s looking. A healthy risk appetite allows businesses to grow while preserving its foundation.

Hacked! The Implementation of NIST 800-171: Irony or the Energy of Non-Compliance

Irony.  I don’t believe in it.   What I do believe in is the metaphysical.  Meaning, the choices you make sets in motion energy through the universe which dictates the outcome of your experiences.  It’s important to avoid expecting an outcome, because a choice is neither good or bad, it just – is.  Alternatively, irony is the “state of affairs or an event that seems deliberately contrary to what one expects”.  While I cannot tell you the details of a situation I encountered, I can tell you that I was introduced to a Company whose C-Suite staff decided that complying with federal cybersecurity regulations was too expensive and unnecessary.  They were unsupportive of the due diligence that revealed weaknesses in its information security structure and scoffed at the mitigation plan.  It got me thinking, was it irony that explained what happened as a result of their non-compliance or did they merely make an objective choice that ended up creating a drastic outcome?

New Department of Defense federal cybersecurity regulations were put in place at the end of 2017, which require federal government contractors to incorporate certain information systems safeguards for the purpose of protecting federal government information.  The Guidelines can be found in the NIST 800-171.  At the Company discussed above, doubting senior officers were unconvinced that complying with the new requirements would protect it from a hacking incident.  They further believed that they would never be victims because hackers wouldn’t be interested in it. “Ironically”, shortly thereafter, the Company was hacked which financially threatened the Company’s core business operations.  The Company suffered significant financial loss, but thankfully no government data was compromised.

Had federal data been exposed, the Company would have to report the incident to the feds, implement its incident response plan, prepare for the federal government to take control of the Company’s operations for an unknown period of time, threatening the ability to conduct business, all the while struggling to recover the money that was stolen.  But the Company didn’t have an incident response plan nor did it have any understanding how to effectively investigate a hacking incident.

The situation was a wake-up call to the C-Suite staff, calling into question – had they implemented the new cybersecurity requirements, would the hacking incident have been minimized or even prevented?  I think the root of the problem was that the C-Suite staff rejected implementing an effective cybersecurity program because they didn’t care about compliance.  But in fact, the new cybersecurity requirements would have narrowed the gaps in the Company’s existing information systems infrastructure, more than likely protecting the Company’s assets and any federal data stored in its network.

At the end of the day, the lesson is that compliance has a place in every business.  Its healthy for a company of any size.  Its more than a cost center, it protects companies from risk and exposure that could be catastrophic.  Compliance is a money maker.  So again, was it just ironic that these nay-sayers suffered a hacking incident, or was it the non-compliance energy they released into the universe?