Jon Andrews | teiss.com
Jon Andrews at Gurucul argues that a threat based approach to cyber security is more important than ticking boxes
According to data from IBM, the average cost of a data breach today has risen to over $4.2 million. These costs include investigations into the breach, clean up and recovery, and they act as a warning to organisations that it is far cheaper to prevent a breach than it is to recover from one, so cyber defences must be a priority for all businesses.
However, when it comes to cyber-security, many businesses today are caught in a compliance conundrum where their focus is around ticking regulatory checkboxes, without taking a threat-based approach to improving their cyber resilience.
These organisations use regulatory compliance as a baseline for cyber-security and believe that by meeting their requirements they are secure and protected against threats.
But, in reality, regulatory compliance does little to prevent and mitigate cyber attacks.
The regulatory compliance conundrum
While regulatory compliance is essential in helping organisations protect consumer data and company digital assets, meeting their requirements is not enough to protect against the targeted and sophisticated attacks companies are facing today.
Compliance is geared towards the minimum best practices that organisations should employ to protect their customers and their own data. However, given the frequency and severity of attacks businesses are facing, bare minimum best security defences do little to keep determined hackers out of networks. Ultimately, this intense focus on compliance could actually be doing more harm than good.
Today, security teams live in fear of failure to comply, worrying about the monetary fines, legal penalties, and ruined reputation for the business. But this approach is costly and potentially jeopardises cyber-security. The average compliance costs in the UK are between £3.2 and £4.1 million each year, but this cost could be avoided if organisations took a security first approach to their cyber defences.
If security teams are going above and beyond to protect systems, then the business would most certainly be compliant. As a result, organisations may see more benefits by flipping their security programs around, where cyber resilience comes first, and compliance is naturally achieved through their robust security architecture.
So, what should businesses do to improve their cyber-security, which not only increases their resilience against today’s top attack vectors, but also enables them to meet regulatory compliance?
Best security practices to achieve resilience and compliance
Today many businesses across the world are going through a period of rapid digital transformation. Much of this has been in response to the COVID pandemic, but it has meant that the digital estate of most businesses has grown significantly and become harder to secure.
As a result, prioritising the security of expanding digital estates is a must for all businesses. This means identifying all assets connected to networks and ensuring they are secured and up to date with the latest vulnerability patches.
Unsecured devices are a common attack vector criminals will exploit to get access to networks to steal data and deploy ransomware, so taking steps to secure all network connected devices is essential. Plus, it will also help meet compliance regulations.
One of the best ways to achieve this is to run vulnerability assessments. Once all connected devices have been identified, by running vulnerability assessments organisations can identify any weaknesses that could put them at risk and then take steps to secure them.
Additionally, organisations must take more steps to secure their users and their credentials. By employing Zero Trust security policies, this limits what users can access on the network and makes it more difficult for malicious insiders to access intellectual property and sensitive data.
Another critical security step for businesses is to keep up to date with attack trends and threat activity. Today it is widely agreed that ransomware is today’s most active threat, being prepared and having the ability to defend against it is essential. Organisations should not only employ security that will detect ransomware before it gets on to systems, but also use tools to prevent data exfiltration, because any data leakage will have a significant impact on regulatory compliance.
While regulatory compliance is an important part of cyber programs, meeting requirements does not equal security. Instead, a more cost-effective and security-focused approach is to improve cyber resilience.
Not only will this help businesses keep determined hackers out of their networks, but their robust security architecture will also help them meet important regulatory compliance requirements.
External Link: Why Cyber-security Compliance Should be an Afterthought