RegTech Eases Compliance Costs & Strengthens Cyber Security

RegTech Simplifies Governance, Risk, and Compliance

As compliance costs skyrocket, standards grow increasingly complex, and the cyber threat environment evolves, organizations are turning to RegTech solutions to automate their compliance processes and improve their overall cybersecurity posture.

As compliance costs skyrocket, standards grow increasingly complex, and the cyber threat environment evolves, organizations are turning to RegTech solutions to automate their compliance processes and improve their overall cybersecurity posture.

Compliance with regulatory and industry standards, such as HIPAA, PCI DSS, FedRAMP, and SSAE 16 SOC reporting, are a burdensome yet necessary part of doing business in the digital world. Organizations operating in highly regulated industries, such as healthcare and finance, face significant compliance challenges, especially when they must comply with multiple standards. HIPAA, for example, applies to any organization that handles medical records, including schools, collection agencies that handle medical debt, personal injury attorneys, and SaaS providers of healthcare software; meanwhile, these same organizations may also have to comply with PCI DSS, SSAE 16 reporting, SOX, and other applicable standards.

Organizations must figure out which standards apply to them, then continually keep up with reporting requirements, audits, and the inevitable changes in those standards as technology and the cyber threat environment evolve. It is estimated that regulatory compliance costs U.S. businesses about $2 trillion annually, and in a perverse twist, small business’s compliance costs are over three times higher than what large companies bear. This heavy burden helps explain why so many enterprise cyber security “plans” start and end with compliance, even though compliance does not equate to data security. It’s not necessarily that organizations don’t care about whether their data is secure, but that they spend so much money and time on compliance, there’s nothing left to tackle cyber security.

Fortunately, technology has made it possible for organizations to achieve compliance and secure their systems and data, at an affordable cost.

RegTech to the Rescue

One of the biggest problems in many organizations is the fact that their compliance processes – or the processes of their third-party compliance providers – are not automated. Some companies still use spreadsheet programs such as Excel for compliance reporting and audits, even though Excel was never meant to be used with the very large data sets produced by today’s complex data environments. But RegTech software, such as Continuum GRC’s IT Audit Machine (ITAM), can.

While the term “RegTech” is most commonly associated with the finance industry, RegTech solutions can be employed by any organization that must adhere to compliance standards, including healthcare, cloud computing, SaaS, education, and public-sector organizations. RegTech solutions utilize big data capabilities and rapid report creation to automate data management and reporting. Instead of multiple, disparate spreadsheets and ledgers, RegTech software creates a centralized repository of all IT compliance requirements with associated controls and automated information flows for audits, assessments, and testing.

Making Sense of Big Data

The big problem with big data is that it amounts to a lot of big noise unless you have the capability to analyze it and derive actionable insight from it. RegTech doesn’t just simplify your compliance processes; it also strengthens your enterprise’s cyber security by providing the advanced data analysis capabilities you need to make sense of your data environment and discover where your vulnerabilities lie. The ITAM, for example, integrates IT governance, policy management, risk management, and incident management. In addition to taking the pain out of the compliance process, it empowers you to document and analyze IT risks, develop mitigation plans, define security controls, and manage ongoing risk assessments so that you can anticipate new and emerging threats and stop them before a breach occurs.

RegTech is poised to transform IT governance, compliance, and cyber security. Organizations that employ this new technology will free up money, time, and human resources to innovate, create, and pursue long-term organizational goals instead of being bogged down in regulatory paperwork and worried about data breaches and other cyber attacks.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization successfully simplify Governance, Risk, and Compliance, and secure your systems.

The 6 Data Breaches that Defined 2016

As the year comes to a close, we take a look back at six data breaches that dominated the headlines and defined the state of cyber security in 2016.

It could be said that 2016 was the “Year of the Hacker.” From healthcare to politics to adult entertainment, no industry was spared the wrath of cyber criminals. Here, we reflect on six of this year’s most infamous data breaches.

As the year comes to a close, we take a look back at six data breaches that dominated the headlines and defined the state of cyber security in 2016.

1. The SWIFT Network Attacks

It was a plot that sounded like it came straight out of a Bond movie: A band of international bank robbers stole nearly $100 million from a bank in Bangladesh, spooking finance executives around the world and leaving them wondering where the thieves would strike next. But these robbers didn’t hand a note to a teller or dynamite their way into a vault; they breached the victimized banks’ networks and accessed their accounts on the SWIFT network, a proprietary messaging system that few people outside the finance industry have ever heard of. Once inside SWIFT, they were able to remotely send billions of dollars in fraudulent money transfer requests. Most of these were caught and flagged, but $81 million went through, and the hackers remain at large. These data breaches sent shockwaves through the finance world and threw into question the integrity of what was once thought to be one of the world’s safest networks.

2. The Yahoo Data Breach

The Yahoo data breach, which compromised 500 million user accounts, resulted in at least 23 lawsuits, and put the company’s planned acquisition by Verizon at risk, didn’t happen out of nowhere. It was the result of years of the company putting cyber security on the back burner in the name of not compromising “the user experience.” Other companies should look to Yahoo as an example of what can happen – in fact, what is bound to eventually happen – when information security is not taken seriously. While it’s true that end users of software products can be fickle and impatient, it is far better to risk annoying customers with product security measures than to leave their personal information open to data breaches.

3. The DNC Hack

Cyber security took center stage early on in this year’s contentious U.S. presidential election, and the Democratic National Committee became the poster child for embarrassing email data breaches. In June, WikiLeaks released a number of damaging emails stolen from the DNC’s email server. Among the “highlights” were what appeared to be messages written by high-ranking party officials plotting to smear candidate Bernie Sanders and planning to reward high-dollar DNC donors with federal appointments in an anticipated Hillary Clinton administration. As if that weren’t bad enough, some of the emails compromised these same donors’ private data, with one email attachment containing an un-redacted image of a six-figure check, complete with the donor’s routing and bank account numbers. The hack was so scandalous that the DNC’s chairperson, CEO, and communications director were forced to resign.

4. The FriendFinder Data Breaches

Apparently, last year’s Ashley Madison data breach didn’t teach companies that store sensitive information to be adults about data security. In October, news broke that six sites owned by FriendFinder Networks, Inc., owners of some of the world’s largest adult entertainment sites, had been hacked. Over 412 million user accounts were compromised, most of which came from a site called AdultFriendFinder, which bills itself as the “World’s Largest Sex and Swinger Community.” In addition to users’ email addresses and passwords – which had been stored as plain text or hashed and converted to all lower-case, making them far easier to compromise – hackers also got hold of the company’s source code and private/public key pairs. As of this writing, the FriendFinder hack is set to win the “award” for the largest data breach of 2016.

5. The Wendy’s POS Hack

Where’s the cyber security? Around the same time fast-food chain Wendy’s announced it would be switching from human clerks to automated ordering kiosks, the company was forced to admit that it had been victimized by a massive breach of its existing POS systems, which exposed customer credit card information captured at 1,000 of its locations in the U.S. Rather than taking responsibility for the data breaches, Wendy’s decided to pass the buck, insisting that “only” independently owned franchises, not company-owned locations, had been breached, and further claiming that the breaches were the fault of third-party POS service providers hired by its franchisees. This spin-doctoring didn’t dissuade dozens of credit unions from joining a class-action lawsuit against the chain, alleging that Wendy’s knew that its POS systems were not secure but did nothing to address the problems.

6. The Hollywood Presbyterian Medical Center Ransomware Attack

While it was not technically a data breach, we felt we would be remiss if we did not mention the infamous Hollywood Presbyterian ransomware attack, which happened early in the year and was a harbinger of things to come for the healthcare industry. Hackers managed to lock down the hospital’s entire network, including its electronic health records (EHR) system. Hollywood Presbyterian ended up forking over $17,000 in Bitcoin to get back in – an act which, unfortunately, emboldened hackers, who now knew they could easily extort big paydays from healthcare facilities. A spate of similar attacks hit medical facilities across the U.S., Canada, and even the U.K. As of this writing, Intel estimates that hospitals have paid various hackers nearly $1,000,000 in ransom this year.

Here’s hoping that 2017 is the year the “good guys” finally get the upper hand in the fight against data breaches, ransomware, and other cyber crimes.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.