IT and Business Insights for SMB Solution Providers

Are You Gambling Everything With Your Cybersecurity Strategy?: Page 2 of 2

Avoiding cybersecurity can be a federal offense.

Contracts with funding sources beyond the federal government often include general requirements like, “Parties agree to comply with all applicable laws and regulations …” or specific references, sometimes across multiple pages, detailing a wide range of cybersecurity and compliance requirements.

You may have signed and filed away contracts without sharing the details with your IT department, MSP, or compliance team.

You may have signed HIPAA Business Associate Agreements but failed to keep up with new requirements for working with healthcare clients.

You may have answered cybersecurity questionnaires hoping that your customers and funding sources never audit you.

Time is running out.

You need to protect yourself now from the death sentence of losing your funding sources and insurance coverage by taking these steps:

  1. Identify ALL your cybersecurity and compliance requirements, including all applicable federal and state laws, industry requirements, contracts, and insurance policies.
  2. Find and review your current contracts and insurance policies. Defense contracts, HIPAA, Medicare, and state laws require data protection. Other funding sources may have different cybersecurity and compliance requirements. Note any language in contracts related to cybersecurity, compliance, and breach notifications.
  3. Compare your requirements to what you are doing. This may take special tools and an independent consultant to validate what your IT staff or MSP is telling you.
  4. Contracts and insurance policies are legal documents. If audited or enforced, you will be required to provide documented evidence of compliance. Doing the right things but not having written reports to show consistency over time will cause you to fail an audit. This level of documentation requires special tools and additional effort beyond basic IT services. More often than ever, customers are sensitive to the cybersecurity risks in their supply chain. Answering questionnaires opens you up to site visits and audits.
  5. Don’t fall for gimmicks. Self-questionnaire-based risk assessments don’t see what is going on in your network. Phony website shields of compliance can get you in trouble with the Federal Trade Commission. Engage a qualified expert to use specialized tools to get under the skin of your network to see what is really going on.

Finally, change the way you view cybersecurity costs. Look at cybersecurity and compliance as an investment in protecting your revenue, the people you serve, the people who work for your organization, and your long-term hopes and dreams.

Healthcare providers and defense contractors can pay $20,000 to expert advisers to identify their current situation, determine gaps, and create a roadmap for success. Then it can cost another $100,000 to overcome years of neglect and implement the required cybersecurity tools and services.

So, if $120,000 in additional cybersecurity seems expensive, just compare it to the $6 million in False Claims Act penalties you could pay by not doing the right things, and the $1,800,000 reward your disgruntled employee (or the last person you fired) could earn for turning you in.

You can always choose to turn down the money. If you only have one client that requires you to invest in complying with regulations or expensive contract terms, you can decide whether or not it is worth the investment.

But if you decide to take the money, you have no choice.

Images: iStock

About the Author

Mike Semel's picture

MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.