How to Monitor Compliance?Published November 1, 2018 by Karen Walsh • 4 min read
You’re feeling really great about your security-first approach to cybersecurity compliance. You created controls, aligned to frameworks, and continuously monitor external threats that can compromise your information. If you only monitor compliance from a technology standpoint, you’re missing one of the primary causes of data breaches – employee awareness.
How to Monitor Compliance in the Workplace
What data breach statistic support employee training
Remember the days when you heard someone say fishing and conjured up a calming image of a solitary day on the water? No longer. Today, phishing is the biggest risk to your data.
In healthcare, phishing led to some of the top data breaches.
- 1.4 million records exposed at UnityPoint Health
- 30,000 records exposed at Legacy Health
- 21,000 records exposed on Minnesota Department of Human Services
- 20,000 records exposed in Catawba Valley
Unfortunately, healthcare isn’t the only victim of phishing attacks. According to the 2018 Verizon Data Breach Investigations Report:
- 4% of people click on phishing campaigns
- 17% of data breaches arose from employee errors
Employees don’t generally want to harm your business, but insider threats remain a major cybersecurity concern.
The 2018 Insider Threat Report explained that databases and file servers remain the most likely targets. Surveyed cybersecurity professionals split their concern over insider threats with 47% saying they worry about malicious insiders and 51% worried about accidental or unintentional user threats.
Simply: you can deploy all the external threat monitoring programs you want, but your employees can still accidentally lead to data breaches that cost money.
Why you need to monitor for noncompliance
Sure, data breaches cost money. However, they’re not the only costs associated with poor employee cyber hygiene.
The Healthcare Insurance Portability and Accountability Act (HIPAA) penalizes healthcare providers and business associates anywhere from $100 to $50,000 per violation (or per record).
The Sarbanes-Oxley Act of 2002 (SOX) penalties for noncompliance include prison time and monetary fines.
In 2016, Wells Fargo employees established unauthorized accounts for existing customers as part of a sale initiative that cost the financial institution $1 billion in fines.
Noncompliance and unauthorized employee access to information means not just data breach costs but also puts you at risk for regulatory fines.
Why employee training is important to compliance management
A primary function of compliance management is ensuring a group of people follow a set of established rules.
A security-first compliance program starts with establishing controls over your data environment and ecosystem. However, you also need to create a culture of compliance that gets employee buy-in. If your employees aren’t cyber aware, then all the data analytics in the world aren’t going to protect you from noncompliance.
If your employees click on malware that exposes databases to hackers, then you’re going to lose the peace of mind that your external threat monitoring intended to provide.
How to engage in cybersecurity compliance monitoring with employees
Training sounds easy, right? You give out some worksheets, policies, procedures. You have everyone read them. You offer a quiz to ensure they retained the information.
Unfortuantely, most employees hate required trainings. They’re boring and lower productivity. So, what can you do to help employees be more cyber aware?
Make it personal
People are more likely to apply education when they see it as important personally. Whether employees are disaffected, uninterested, or confused, training works best when there’s a personal connection to the information. If you think employees don’t want to be more cyber aware for you, make them see it as something to do for their families.
For example, most employees use social media outside of work. The recent Facebook data leaks are a perfect way to connect the personal to the professional. If they’re worried about their personal information, teach them better password hygiene or focus on how applications talk to each other. If they start practicing this at home, they’ll do it at the offic.
Focus on passphrases
Your IT department can control user access and user authentication methods. If you’re worried that your employees won’t be cyber secure, you need to make their actions mandatory. A recent Spycloud report explained that 59% of people use the same password everywhere. Since they’re afraid they’ll forget the password, they keep using the same one.
Ensure that you focus on creating a strong passphrase policy. With more hackers using computer programs to hack passwords, the typical random generated password no longer protects your data. Incorporate the idea of a passphrase – a personally meaningful phrase – that can stymie these mathematical guesses.
Use multifactor authentication
You need to make sure you’re incorporating more than one way into your systems and networks. You can hand out corporate tokens to employees or require that they use an authentication application when signing onto your networks.
Multifactor authentication means ensuring that employees are using something they know, something they own, and/or something they are. You want to give them a way to supplement the passphrases with either an object (cell phone or token) or a biometric (fingerprint, facial recognition).
Create clear reporting procedures
Your c-suite engaged in a risk assessment, but your employees may not understand the variety of data risks inherent in their daily business activities.
You need to define your information asset risks in a way that matters to their work. For example:
- Phishing emails -make sure to forward anything suspicious to the IT department
- USB drives – if you find one, bring it to the IT department so they can check it out. Don’t go looking for the owner by plugging it into your computer.
- Pop-ups on websites – tell the IT department if you’re seeing these because our browsers shouldn’t be allowing them.
You want to give concrete examples based on the risk assessment and a specific point of contact to make sure employees can report suspicious activities on their devices.
How ZenGRC enables monitoring compliance in the workplace
ZenGRC provides task prioritization that help let you track compliance activities that reduce vulnerabilities by scheduling reviews and monitoring their completion dates. With these workflows, you can ensure that your IT department reviews user access regularly while also providing employees an easy-to-use reporting tool for suspicious activities.
As a single-source-of-information, the platform stores and supports remediation activities to prove your continuous compliance and continuous auditing approach to information security.
By using our intuitive interface, you can easily upload frameworks, objectives, and controls while also managing changes to those controls across a variety of frameworks.
For more information on how ZenGRC can enable your compliance efforts, contact us for a demo.