Security and compliance very rarely intersect – but are often misconstrued as being two sides of the same coin. Many organisations will say they define their security policies based on regulatory requirements. In theory this may be true: in practice, but there is very little alignment between meeting regulatory requirements and adhering to risk-mitigating security practices. Being compliant and being secure are two very different goals with less overlap than we might imagine.
Businesses adhere to regulatory compliance via governance, process and procedures. It’s a one-size-fits-all approach, offering minimum expectations which companies are required to meet. Security defines how businesses store and distribute data to protect them from cyber threats effectively. The fundamental difference between compliance and security is that compliance requirements are predictable and often change slowly. Security, however, is dynamic and threats move at a faster pace than compliance. Both presumably work towards the end-goal of reducing risk. However, compliance alone does little to minimise threats, which is self-evident when looking at companies that have been hacked, even with regulatory standards put in place to prevent such attacks.
The personal information of customers is being compromised because of security breaches within larger organisations, while small-to-medium-sized organisations are targeted as entry points to infiltrate supply chains. Organisations are starting to feel the urgency that such risks pose to their business. According to security experts: There are two types of companies: those experiencing a hack, and those who don’t yet know they are experiencing a hack.
For Australian businesses, government contractors, as well as suppliers, it is vital to ensure they comply and fulfil the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) requirements. The Department of Finance needs suppliers to include industry accepted data protection plans with their proposals and contracts, and reporting breaches must also take place. As such, companies need to raise cyber security standards.
Compliance is regulated and leaves little room for innovation. It is often nothing more than a yes or no question and answer. Regulations are not intricate and involve password security, which is only valid if the characters are complex and lengthy; something most organisations is unable to use. Prescribed policy regulations then lock-out a user’s account if the password is entered incorrectly after a few attempts. But, this account lock-out policy is not necessary if you use a longer, more intricate password. However, this does not stop hackers who will make several attempts until forcibly locking users out.
Manipulating people to reveal sensitive information, or “social engineering” and phishing constitute between 70 to 90% of cyber-attacks, yet these attacks are not well documented. Regulatory compliance documents encapsulate government regulations, security frameworks and client’s contractual terms, acting as a means to facilitate business requirements for a third party. There is very little awareness about security or recommendations to prevent attacks. Organisational knowledge is lagging, leaving gaping holes around data security.
Technology changes faster than regulators can keep up, and new technology brings new risks. However, the pace in which regulations change is slow. It can take almost two years for regulators to understand and identify weaknesses, update and publish requirements and then set a viable timeline for compliance. During this period, an organisation whose strategy for security emanates only from compliance becomes susceptible to attacks. Compliance is about more than merely installing firewalls. Innovations such as cloud computing and significant data warrants staying up to date with security controls and best practices.
Business leaders make the mistake of operating with a “checkbox mentality” – the idea that meeting compliance regulations and avoiding penalties ensures meeting security needs. This compliance-first approach results in businesses recruiting Chief Compliance Officers, side-lining data security requirements. Staying compliant is an expensive and complicated exercise and requires the right expertise to keep on top of existing standards, without even contemplating new ones. Businesses, in turn, focus on meeting the minimum requirements, which is why we don’t view security as an independent business requirement which needs to work in conjunction with regulation. Compliance is typically addressed once a year, and as a result, cannot keep up with the pace in which cyber security changes daily. Threats are sophisticated, and evaluating security measures and integrating compliance controls is vital to create a cohesive, multi-layered web of security. Organisations are unaware that they create a blueprint for hackers through published regulations which highlight vulnerabilities.
Organisations are often reactive, chasing regulatory compliance because of financial penalties, rather than proactively planning its security independently. Little consideration is given to the financial implications of data breaches and ensuring customer data is safe. Organisations need to go above and beyond regulations but cannot because they haven’t done due diligence. A practical example of this is regulatory patch application – how an organisation applies and manages security patches to comply with regulations. Businesses rarely fully patch their servers. At best, they are 99% repaired, and the 1% leaves the company open to vulnerability. Additionally, reviewing logs must be a regular occurrence as these records contain relevant security information. But, no one has the time to review these logs.
Static regulations can never be relevant and do not provide the robustness of security that protects data from an ever-evolving threat landscape. The business model putting compliance first is wrong, and businesses are suffering as a result. Building an effective cyber security system based on an organisation’s needs is something that needs to be implemented from the ground up. Compliance should, therefore, be a by-product of a reliable security programme, and not the source of it. Investing in a comprehensive cyber security strategy serves to enhance compliance and saves money while protecting your data and business.
Compliance plays a vital and pivotal role in a security strategy in the following five ways:
Compliance operates with risk assessments; which information can guide an organisation’s approach and control environment to manage and mitigate risks effectively.
The somewhat nuanced regulations addressing cyber security is growing. The compliance functionality can implement policies, procedures and controls that meet these requirements.
Compliance has regular contact to effectively engage with all divisions within an organisation – from HR to legal and C-suite. It can, therefore, build a systematic approach connecting the dots across an organisation.
Compliance collates data to provide insights into employee engagement through the monitoring and audit processes needed to manage risks. For cyber security to work effectively, people, processes and technology need to work harmoniously. The information collected by compliance can help to influence employee behaviour creating the necessary change to complement security efforts within IT.
Metrics track progress and the return on investment, which comes from compliance monitoring. Such information can be extrapolated to form KPIs ensuring the maturation of cyber security programmes. Not only does this demonstrates a commitment to customers, but it also reflects a commitment to risk management and compliance holistically.
Cyber security is rudimentary because businesses are focused on compliance reporting. The level of acceptable risk for any company to continue this way of operating is quickly diminishing as cyber-attacks become more prevalent. Looking at compliance in isolation as a complete security strategy is limiting and dangerous – a very hefty price to pay. Organisations are more vulnerable to data threats than ever before, and compliance is the bare minimum of security to have in place. Companies must do more to ensure they protect their sensitive data.
Cyber security cannot be an afterthought addressed with traditional and limited compliance solutions. Cyber security should form part of an overall business strategy and should be a priority along with compliance, for a business to succeed and grow in this digital age. For organisations to remain genuinely innovative, and to realise any possible digital transformation, a particular focus must revolve around a security approach which focuses on business growth. It is as important as performance and agility. Reaping the full benefit of transformation is not isolated to digitisation, optimisation and automation – security and compliance form part of that structure.
It’s harder to make a business case for security in addition to compliance. Moreover, users don’t want experiences, speed, innovation and performance affected by security solutions. But in the realm of the Internet of Things, vulnerability risks have increased exponentially. Security, therefore, needs a strategy – and not just the addition of a few firewalls. Leaders require a mindset shift.
Rather than focusing on the cost of implementing additional security measures, factor in the cost of the losses if you fail to secure critical information properly. The reality, for most organisations, is only when business is interrupted, stealing of data takes place, compliance requirements compromised or reputation down the drain does the impetus for better security hit home. Data and information are the lifeblood of a business and a source of revenue. The damage of cyber crime can make or break your business.
At Stickman, we practice Cyber Security by Design – which puts business first, looks at risk before choosing technology, and encompasses both aspects of regulatory compliance and the full gamut of Cyber Security.
For a confidential discussion of your risk, compliance, and cyber security, contact us today.