It’s Cybersecurity Awareness Month: Why Compliance Is More Crucial Than Ever To Securing Our World

The President of the United States and Congress first declared October “Cybersecurity Awareness Month” precisely two decades ago, in 2004. This year, the Cybersecurity & Infrastructure Security Agency (CISA) continues last year’s theme, “Secure Our World.” The purpose is to raise awareness about the importance of cybersecurity. That awareness must extend to compliance for any organization because it directly impacts your data protection, privacy, backup, and disaster recovery strategies.

But compliance isn’t important just because governments say so. It’s also because these regulations force you to implement best practices that can save you massive amounts of money—and even your company. 

Arcserve’s recent independent study of senior IT professionals, the State of Data Resilience in the Enterprise 2024, makes it clear compliance is crucial because it’s inevitable that ransomware, a breach, or some other type of data loss will hit you. A whopping 80 percent of respondents said their organization had been hit by ransomware, and almost half say their organization has experienced significant revenue loss due to data loss incidents.

While you may be impacted by additional local, regional, and national regulations, organizations that do business nearly anywhere outside their neighborhood are subject to some type of regulation. The most notable of these are the General Data Protection Act (GDPR), the Digital Operational Resilience Act (DORA), the NIS 2 Directive, the California Consumer Privacy Act (CCPA), and Japan’s Act on the Protection of Personal Information (APPI). These regulations force improvements in data resilience, and failure to comply can be costly in terms of financial penalties and reputational damage.

GDPR: Strengthening Data Protection for EU Citizens

The GDPR, designed to protect the personal data of EU citizens, is one of the most stringent regulations in force worldwide. It requires organizations that do business in the EU to implement stringent measures to protect data, ensure transparency in data processing, and immediately report breaches. The regulations include data minimization, requiring that you only collect the customer data you really need. 

While the GDPR doesn’t require encryption to protect personal data, it is recommended as a technical security measure. We suggest you follow that recommendation and ensure your data is always encrypted—in transit and at rest—as one vital defense against data loss. 

For “especially severe violations,” non-compliance with the GDPR can result in fines of “up to 20 million euros, or in the case of an undertaking, up to 4 percent of their total global turnover of the preceding fiscal year, whichever is higher.” Those high costs make it easy to decide to invest in data protection that ensures compliance.

DORA: Ensuring Operational Resilience in the Financial Sector

DORA, like the GDPR, impacts any organization doing business in the EU. It intends to ensure financial institutions have the operational resilience to withstand, respond to, and recover from all types of information and communications technology (ICT) risks, including ransomware and other cyberattacks. The core components of DORA include:

• Significant cyber incidents must be reported to authorities with very short timeframes

• Regular operational resilience testing must be conducted to assess cybersecurity defenses

• With DORA holding companies responsible for the data resilience of their third-party service providers, organizations must assess risks throughout their supply chain

If you operate in the financial sector, DORA requires that you do more than simply secure your systems. You must also ensure your entire operational framework, including backup and disaster recovery systems, is resilient against potential disruptions. Learn more in this post.

NIS 2: Protecting Critical Infrastructure

The NIS 2 Directive “is a legislative act that aims to achieve a high common level of cybersecurity across the European Union.” This update to NIS, released in 2023, addresses the increasing threats to essential services like healthcare, energy, finance, and transportation. NIS 2 requires enhanced cybersecurity practices and regular assessments of your organization’s resilience against cyberattacks, natural disasters, and other disruptions.

NIS 2 directs that you develop and implement incident response plans and disaster recovery strategies and ensure your critical data—including backups—is available and protected. You must also report significant incidents to authorities promptly. Learn more in this post.

CCPA: Protecting California Consumers

The CCPA can apply to businesses anywhere in the world that "do business" in California. It gives citizens significant control over their personal data, including mandating that organizations notify individuals regarding what data is collected, allowing consumers to opt out of sharing their data, and complying with requests to delete personal information.

Fines can reach $7,500 per violation, with every individual’s data considered a violation. So, a significant breach can be incredibly costly. Compliance requires ensuring your data is secured at all times, backed up regularly, and protected against unauthorized access.

APPI: Comprehensive Data Protection

Japan’s APPI is one of the most extensive data protection regulations in Asia. It applies to all companies that collect and process the personal data of Japanese citizens. APPI requires user consent for data collection and mandates transparency in data usage, stringent security controls, strong encryption protocols, and effective backup solutions.

Non-compliance can result in substantial penalties, including public disclosures of violations, which can damage your organization’s reputation.

Ensuring Compliance With Arcserve UDP 10

Other regulations, from HIPAA to PCI DSS, may impact your organization. Regardless of the regulatory requirements, Arcserve Unified Data Protection (UDP) 10 offers the robust capabilities you need to protect critical data and ensure compliance.

To learn more about Arcserve UDP, request a demo or take advantage of our 30-day free trial offer.