Secured integration to the future

Secured integration to the future

Без кібербезпеки ніяк. Що може завадити виходу компанії на міжнародний ринок?

Майстер-клас: секрети випікання найсмачніших млинців!

26.08.2024

Entering the international market is a new level of organisation that involves many challenges. When launching a business abroad, it is essential to consider many details, from the office and staff to legal support and local market features. However, entrepreneurs often need to remember mandatory compliance with cybersecurity standards. 

Global Trends to Strengthen Cybersecurity

First, cybersecurity is not just a passing trend, nor is it limited to training employees not to click on unfamiliar links. Cyber threats are becoming more dangerous and constantly evolving, so governments and companies of all sizes and across various industries actively invest in cybersecurity. 85% of companies plan to increase their cybersecurity budgets. Over the past decade, numerous mandatory cybersecurity and data protection regulations have emerged, which organisations in the EU, America, and Asia must comply with.
Ukraine still has a lot of work to do to develop comprehensive cybersecurity regulations. While our Western partners acknowledge our experience in combating cyber threats in the context of cyber warfare, we still lack mandatory certification, even for government agencies. However, under the initiative of USAID's "Cybersecurity of Ukraine's Critical Infrastructure" project, critical infrastructure facilities have begun to be tested for compliance with the NIST CSF cybersecurity framework. IT Specialist is one of the companies providing a full range of these services. Currently, Ukraine ranks 78th in the global cybersecurity ranking.
In addition to protection, compliance with cybersecurity standards is crucial for maintaining your organisation's reputation and trust internationally. For example, according to CISCO, 86% of respondents are concerned about their data privacy, and 79% are willing to invest time and money to protect their personal information.
What regulations can businesses face when entering international markets?

General and Industry Standards: Who are they for?

If your business interacts with EU citizens' data in any way—such as collecting personal information through your website—you must comply with the GDPR (General Data Protection Regulation). The GDPR's requirements include the secure storage, transparent collection, and processing of personal data belonging to EU residents. Non-compliance can lead to lawsuits, fines, or even data breaches with more severe penalties. For instance, in 2023, organisations were fined over €1.6 billion for failing to comply with the GDPR.
The good news is that complying with the GDPR requirements in good faith is sufficient; certification is not mandatory.

SOC 2

SOC 2 (System and Organisation Controls) is an important standard for companies that provide services to other organisations. Developed by the American Institute of Certified Public Accountants (AICPA), it assesses data security, availability, processing integrity, confidentiality, and privacy controls.
The SOC 2 compliance audit process includes the following components:● Quarterly vulnerability scanning of all internal systems, with SOC 2 tracking all critical and high-level vulnerabilities until they are patched.● Event log management tools are used to identify incidents that could potentially affect security.● Penetration testing is performed at least once a year. A recovery plan is developed, and changes to eliminate vulnerabilities are implemented by the SLA.

ISO27001

ISO 27001 is an international standard that specifies requirements for an Information Security Management System (ISMS). This standard protects an organisation's information assets and ensures their confidentiality, integrity, and availability. ISO 27001 certification demonstrates that a company is committed to cybersecurity and effectively manages information security risks.
This standard is not mandatory but can benefit organisations participating in tenders, providing them with added status and advantages. Additionally, ISO 27001 is an excellent guide for organisations looking to build an effective ISMS.
Specialised Standards by IndustryFrom the general to the specific: Did you know that certain industries have unique cybersecurity requirements? Financial institutions, healthcare facilities, and other sectors that handle personal data or are critical to national economies often have specialised cybersecurity regulations.
NIS2 for Critical Infrastructure and Services in the EUThe new EU directive NIS2 (Network and Information Security Directive) aims to enhance the cybersecurity of companies providing critical services within the EU. It primarily applies to critical infrastructure facilities and enterprises but also extends to digital services and cloud solutions providers and sectors such as finance, chemicals, and food industries.
Another common industry cybersecurity standard is PCI DSS (Payment Card Industry Data Security Standard). This standard is established by the payment systems VISA and Mastercard, rather than government agencies. Companies that provide payment services or process payment card data must comply with PCI DSS to conduct transactions through these systems.
However, the Directive does not apply to companies with fewer than 50 employees or an annual turnover of less than €10 million, or an annual balance sheet not exceeding €10 million.
Unfortunately, if you think cybersecurity is only for large IT companies, that's not the case. One in ten small and medium-sized enterprises suffers a cyberattack annually, and 75% of these businesses cannot continue operations after a breach.
The American Market and Its PeculiaritiesCybersecurity is equally crucial if you plan to work with the American market. According to ISACA, one in three clients in the U.S. will stop doing business with a company after a cyber incident. The gold standard for organisations in the United States is the NIST CSF (Cybersecurity Framework) and the level of compliance with it. While compliance is not mandatory, a high level of adherence can provide a competitive advantage, particularly with customers, partners, and government agencies.
The U.S. also has specific regulations for certain states and industries:● CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act): These acts serve as California's equivalent of the GDPR, establishing regulations for the processing of personal information of California residents.● COPPA (Children's Online Privacy Protection Act): This act requires organisations that offer services directed at children to obtain parental consent before collecting and processing personal data, and it regulates the storage and use of such data.● HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act): These standards govern patient privacy and define how medical data should be protected and transmitted electronically.
Before starting a business in another country, it is essential to thoroughly research not only the legal framework but also the specific cybersecurity requirements for your industry. For example, HIPAA and HITECH apply to the healthcare sector in the U.S., while NIS2 pertains to cloud services in the EU.
When starting a business abroad, ensuring compliance with the country's general cybersecurity standards and your industry's specific requirements is crucial. This approach will protect your company from potential sanctions, enhance trust with partners and customers, and help prevent financial and reputational losses due to cyber incidents. Investing in compliance and cybersecurity measures is an investment in your business's stability and growth.
Author — Dmytro Chub, Head of Information Security Audits at IT Specialist