As the end of the year approaches, hidden annual security requirements tend to pop up at the least convenient time. Although we're glad to spring into action to help bail out companies that have some last-minute cybersecurity obligation that needs "doing" before December 31st, we'd rather help you avoid that type of scramble altogether in the future. Here are the top ways that you can sniff out hidden annual security requirements well in advance, to avoid a scramble.
The #1 place that we find "hidden" annual security requirements, is in the responses that employees have made to outside inquiries about internal security practices. Customers, vendors, and other partners have become increasingly aware of the risk that they take when they do business with any company providing a technology component or solution. Because of that, there has been a proliferation of security questionnaires flowing back-and-forth between companies that have any type of technology dependency on each other.
The bad news? The responses to that questionnaire are often incorporated "by reference" in a broader legal document binding the companies to abide by the responses that they've submitted. Responses like saying that you do annual companywide security training. Or that you have endpoint security on each remote worker's computer. Or that every employee acknowledges the company's infosec policies within a month of joining the company.
These statements -- made in the urgent final moments of finalizing a partnership or customer agreement -- are easily forgotten when it comes to revamping the broader organization's policies and practices. So, they are a common source of "hidden" annual security requirements that lead to a race to comply by year-end.
There's a piece of commonplace knowledge amongst small business operators, that when doing business with a larger company, the deal usually ends up being "on their paper" -- meaning, on the legal document drafted and preferred by the larger organization. That may very well be a 200 page Master Service Agreement (MSA) littered with obligations that the smaller business must fulfill. Cybersecurity insurance requirements. Penetration testing requirements. Regulatory requirements. Audit requirements (maybe even SOC 2 Type II). Because these documents can be unwieldy, and because the initial signing of these documents often involves quite the time-sensitive scramble, they become a hidden home of many annual security requirements that companies sometimes forget to implement.
Are you subject to HIPAA? Or the FTC Safeguard Rule? Or FINRA? Or any other regulatory body or standard? It's hard to imagine any industry regulatory body that isn't implementing annual security requirements. Almost all of them do. And most of them are poorly understood, because small businesses tend to lack the cybersecurity professionals to pour over these documents in detail and pop out with a neatly-organized summary of security actions that the company needs to take.
None of this is easy. And it's made harder by the fact that most small businesses bear a combination of annual security obligations from many disparate sources. Perhaps several MSAs, a couple regulatory bodies, and a poorly-organized backlog of enterprise security questionnaire obligations. Before you go overboard, though, please take some solace in this: every company that we've helped catch-up on their annual security obligations has found overlap in their obligations to various parties. For example, security awareness training might check an important box on both an MSA and a regulatory obligation. Endpoint protection might address a gap in several enterprise security questionnaires. The overlap -- and the efficiencies of having a coordinated cybersecurity program that meets many obligations with each action -- is the key way that our clients stay sane. And we're glad to help your organization as well.