Prior to partnering with BDO Digital, this Chicago-based firm was using various security assessment tools and approaches with little success. The results were often overwhelming and lacked a clear path towards prioritizing and resolving the issues at hand.
With an increase in cybercrime and pending HIPAA and NYDFS compliance laws, the firm knew they needed to take action. However, like most midsize organizations, they did not have the time or resources in-house to identify, prioritize, and remediate risks surrounding network security, platform security, application security, and industry-specific compliance. They were looking for a partner to provide the specialized expertise necessary to do justice to the critical tasks of protecting their IT assets from external threats.
Due to BDO Digital's proven track record of providing executive-level cybersecurity and compliance advisory services, the professional service company felt confident in their decision to partner with BDO Digital.
BDO Digital has customers in many types of industries which face many types of compliance requirements (HIPAA, NYDFS, PCI, GDPR, etc.). BDO Digital's advisory services are commonly leveraged by midmarket organization to provide many of the strategic services that would be found in a CISO (Chief information security officer) role.
Creating Measures of Success
In order to improve on or achieve a goal in cybersecurity (really, any area of business), you must first establish how success will be measured. If there are no native metrics associated with the desired outcome (for example, network bandwidth), a system of measurement must be created.
BDO Digital worked with the firm to develop these metrics for measuring their levels of HIPAA and NYDFS cybersecurity compliance. The system can also be used by the firm and BDO Digital for ongoing risk assessment.
Meeting the Challenges of NYDFS
During the initial conversations, BDO Digital and the firm verified they fell under one of the NYDFS exemptions. This significantly reduced the scope of requirements.
The remaining requirements are what BDO Digital would consider the core of any mature cybersecurity program, including an Incident Response Plan. Even with the reduced set of requirements, BDO Digital found some significant gaps. The time was ticking as the March 1, 2018 deadline for NYDFS compliance was soon approaching.
As soon as the roadmap engagement was over, BDO Digital started on remediating the gaps using both advisory and engineering resources. The firm was ultimately able to meet the deadline and confidently state they met the initial phase of NYDFS requirements. The filing was submitted in advance and a weight was lifted off of the compliance officer’s shoulders.
Even though the firm met the initial deadline, there remains more work to be done. The roadmap also includes the steps and timelines required for meeting the 3 remaining deadlines over the next year. These steps are prioritized among other cybersecurity, IT, and business goals to allow the organization to remain on track while continuing to tackle the requirements laid out in NYDFS cybersecurity regulations.
Meeting the Challenges of HIPAA
During BDO Digital's gap analysis and risk assessment, it was discovered that the firm’s HIPAA compliance was sufficient on paper, but each area typically had only 1 layer of defense. BDO Digital raised the concern, “what happens if the 1 layer of defense fails or breaks down?” These type of questions helped to bridge the conversation from compliance to real cybersecurity protection.
Beyond Compliance - the Future of cybersecurity
Beyond compliance, a proper cybersecurity roadmap often includes the following steps: moving from on-premises systems to the cloud, securing your data in the cloud, fixing other leftover issues, and finally establishing a Security Managed Services program to help maintain a high-performing, agile IT system.
For example, this firm resolved many compliance and security assessment issues found by moving email and unstructured data (file system) to Office 365 and SharePoint Online, respectively. Once the data was in Office 365, there were many more robust and easy to use security and compliance tools built in.
In addition to Office 365, BDO Digital recommended Enterprise Mobility + Security (EMS) E5 to take advantage of the identity-driven security, mobile device management, and information protection. In addition to being an easier platform to secure, Office 365 is easier to use and maintain; it sets the stage for improved employee productivity.
Once the new system was secured, the firm was able to better prepare for more detailed verification such as penetration testing.
By measuring compliance and risk, the firm is now able to act fast to meet new regulations. It has also allowed the firm to show and improve upon HIPAA compliance and avoid HIPAA violations. This helps the firm avoid security breaches and avoid or minimize any compliance fines in both the short and long term.