What Does Cybersecurity and Privacy Compliance Mean for Startups?
At its core, cybersecurity compliance involves adherence to standards and regulatory requirements set forth by an agency, law or other authority. Organizations must achieve compliance by establishing risk-based controls that protect the confidentiality, integrity, and availability of information.
Some regulations can apply to virtually all businesses; others may depend on an organization’s industry or specific situation. The most widely applied security and privacy regulations and standards are the National Institute of Standards and Technology’s Privacy and Cybersecurity frameworks (NIST), the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI-DSS).
Smart businesses strive to comply with at least one of these cybersecurity frameworks, and if there’s one that organizations should prioritize it’s the tools provided by the National Institute of Standards and Technology. Far from a burden, these frameworks are a gift to businesses, providing a blueprint they can follow to ensure they’ve taken every step realistically possible to ensure that their organization is secure.
The GDPR is another very important regulation. It’s a set of data privacy rules meant to grant individuals greater rights over how their information is collected, stored and used. Although promulgated by the European Union, it effectively applies to any organization that does business online, regardless of location. It’s best to become compliant with GDPR rather than to try to figure out whether you can get away with being noncompliant.
PCI-DSS is the third standard to know about. It was created and is required by credit card companies to reduce payment card fraud. In general, any business that accepts credit cards must comply with it or risk going unreimbursed for any fraud that occurs while using noncompliant technology.
Beyond these three, most security regulations tend to be industry specific. Healthcare organizations, for example, must comply with the Health Insurance Portability and Accountability Act. Financial services organizations must follow Sarbanes-Oxley. Companies that do business with the U.S. Department of Defense, meanwhile, may have to participate in the Cybersecurity Maturity Model Certification program. Many startups will find that their investors, if not their customers or business partners, require such compliance.
Click the banner below to read the CDW cybersecurity report to see how your peers manage risks.