Best Practices Series: A Six-Step Business Compliance Checklist

This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories. In this submission, Malwarebytes Chief Operating Officer Barry Mainz offers a step-by-step business compliance checklist to consider utilizing at your own organization.

Businesses of all sizes are looking for new ways to remain industry compliant, some have even adopted regulatory tech tools to meet challenges. Though there are other actions businesses can pursue to check multiple boxes for their own protection that in turn complies with regulatory standards. Let’s examine the costs and challenges around compliance before breaking down a six-step checklist for businesses.

In 2021, businesses in the U.S. on average spent $10,000 per employee on regulatory costs, and while different industries may have different compliance requirements – such as the healthcare sector, where the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies; or the retail and restaurant sectors, where the Payment Card Industry Data Security Standard (PCI-DSS) applies, the basic concept of being compliant is the same.

It’s all about making sure that an organization follows the identified rules, laws, and best practices of the particular industry, including safely managing the data your company obtains from employees or customers, and also implementing internal policies that adhere to any industry, state, and federal regulations that may apply.

While supply chain disruptions understandably were the leading risk for organizations in 2021, this was followed closely by cyber incidents such as cyber-crime, data breaches, and fines and penalties so it’s important to understand that the core of these compliance requirements is centered on how your network and IT cybersecurity systems and practices are set up and managed on a day-to-day basis.

In fact, a business’s future growth may hinge on doing so, as the latest data suggests that cybersecurity practices among vendors are becoming an expectation, as 44 percent of firms say they are being asked for proof of cybersecurity as part of a request for proposal (RFP).

Businesses that fail to update compliance processes, systems, and technologies to meet the challenges of today’s rapidly changing regulatory environment could be in trouble down the road. Here is the 6-step business compliance checklist to help business owners navigate the process:

Facility access control

Physical security is about keeping your facilities, people, and assets safe. Set up policies to identify which employees (and contractors, visitors, etc.) can have access to particular facilities or buildings, keeping in mind any specifically restricted areas. Unfortunately, all the firewalls in the world can’t help you if an attacker removes your storage media from the storage room.

Identity Access Control

Securing your company’s employee passwords will protect your internal data from being accessed by an outside source. Set up a password policy that includes regulating password length, character requirements, frequency of changes, and blocking users after a certain number of logins.

Safeguards from Viruses, Malware, and Ransomware

With remote work becoming the norm in 2021 as a result of the COVID-19 pandemic, Remote Desktop Protocol (RDP) usage has surged and has exposed an exploitable vector for ransomware – brute force attacks. Consider deploying an Endpoint Detection and Response (EDR) solution that includes ransomware rollback so you can have peace of mind knowing that ransomware won’t damage your bottom line, reputation, customer experience, or team productivity.

Regular Security Updates to Software and Programs

This is important to protect your network and devices from hackers but also keeps you in line with many compliance requirements. In this case, visibility is key to prevention, so consider using a vulnerability assessment tool that can help you understand exposure, identify vulnerabilities and prioritize action.

Media Usage & Removal Policy

USB flash drives are absolutely everywhere, and they are admittedly very convenient – but they also carry huge data security risks. Create a policy for media usage and removal, with policies explaining how, when, and why any media can be used on the company’s systems.

Employee Security Training

Your people are both your first line of defense against cyber threats, and unfortunately, when it comes to phishing, they can also be the biggest risk factor. Employee security and compliance training should always be part of your risk management system, including company policies, issue reporting procedures, and regularly educating your employees on the current threats.