Has compliance become another form of window-dressing?

Glenn Warwick, Principal Cyber Security Consultant, Bridewell Consulting, says organisations need to put practicality before appearance when it comes to chasing compliance.

Compliance could be becoming the next form of ‘greenwashing’ as organisations scramble to appear compliant rather than ensuring that they have the right measures in place. Greenwashing implies a business provides false or misleading information to appear more environmentally friendly than it actually is. Just like sustainability, businesses need to be careful that their pursuit of compliance is guided by the right intentions. Some might be investing heavily in security controls they don’t need through fear of looking like laggards when it comes to compliance and risking their reputations.

Organisations need to think past the way compliance makes them look and instead consider which practices they need to be putting in place. Those failing to do this risk misplacing their investments in security measures that may not actually address the specific security risks they’re facing.

Prescriptive legislation misconceptions

Organisations have long been expected to run in line with legislative requirements, and this reached a pinnacle with the introduction of GDPR in May 2018. As part of this legislative change, organisations were closely policed on their data security, with significant fines imposed for data breaches – and as a result, many businesses undertook urgent reviews of their security measures, with many deciding to implement security standards such as ISO 27001.

Having aligned to a security standard, many businesses naturally sought to obtain full certification. But without true organisational buy-in, simply achieving certification is no guarantee of genuine cyber-security. It isn’t enough just to go through the motions of compliance; businesses must commit to ongoing workforce education and invest in the right resources to truly reap the benefits of upholding these standards.

Keeping pace with new threats According to Risk Based Security research published in the 2019 MidYear QuickView Data Breach Report, the first six months of 2019 saw more than 3,800 publicly disclosed breaches, with 4.1 billion compromised records. If organisations don't maintain a healthy cyber security

culture or implement the right dedicated resources to manage their security on a daily basis, widespread adoption of these operational security practices is unlikely.

To achieve true, long-lasting cyber security, organisations must continually assess risks, educate employees and invest in the right resources. By ensuring that their security controls keep pace with the changing threat landscape, companies can continually deploy the latest and greatest techniques to combat exposure, allowing them to avoid breaches, as well as any heavy associated fines.

Achieving a strong cyber security posture

Assuming that a security certificate alone will provide adequate data protection is the riskiest part of the UK’s current ‘compliance culture’. If businesses focus on simply achieving certifications, then there is a risk of breeding a culture where employees do not feel accountable or responsible for upholding best practice. This, in turn, is likely to result in reactivity rather than proactivity; where companies only invest time and effort when renewing their certifications. Any subsequent staff awareness campaigns are then likely to be geared towards passing an audit, rather than genuinely raising awareness or educating staff about cyber security. Whilst this approach can satisfy the desire for compliance, simply going through the motions won’t keep the company secure. So, while organisations must follow industry standards, it’s clear that the key to success comes when they are adopted into daily business operations.

When it comes to data security, one of the weakest links is the risk of human error. If the workforce is not operating in a secure way, the risks of a data breach can increase. Best practice security measures such as running phishing campaigns and implementing mandatory password updates can help to protect against human error when appropriate.

Maintaining security in the current climate

Security needs are ever changing, and never more so than in the current climate. As a direct result of the Covid-19 pandemic, organisations have had no choice but to reassess their security software and processes to account for a large-scale global shift to remote working. With millions of employees now working from home, many will be accessing their employers’ servers from their home networks, where security is much harder to monitor.

It’s no surprise, therefore, that almost half of organisations have suffered a cyber security incident as a result of the sudden shift to remote working, according to a survey undertaken by Barracuda Networks. It was discovered that 46% of organisations across the UK, US, France and Germany have suffered at least one “cybersecurity scare” since the lockdown began, suggesting that scammers are taking advantage of the unprecedented situation to infiltrate organisations’ systems that are now more exposed to threats.

With the combined consequences of a weakened set of operational security resources, reduced revenue, furloughed staff and redundancies, a lot of companies have been hit hard. As such, the resulting financial and logistical issues have meant that these businesses are struggling to operate with the same level of security as before the pandemic. Now, more than ever, it’s important for businesses to make sure that they maintain security resilience

within their organisation. There could even be an increase in insider threats, with heightened levels of redundancies and layoffs causing concern that disgruntled employees may try and retaliate via security attacks.

By keeping abreast of the various different attack methods that businesses may face, vulnerabilities can be better identified, contextualised, monitored and managed to limit any adversaries or malicious attackers from exploiting software or process-based weaknesses. This is a continued threat; and as such, it’s essential that organisations can promptly and proactively mitigate against any vulnerabilities as soon as they are identified. Typically, this can be achieved through maintaining basic cyber security hygiene practices such as software patching, or via alternative mitigating strategies such as the hardening of an operating system, or enhancing security provided by firewalls and endpoint protection.

Strength in numbers

It’s also essential to identify the correct level of security for each organisation. By working as a community, different sectors can capitalise on guidance and support from a competent authority; using a baseline cyber assessment framework against which they can measure their own security practices and identify areas of improvement.

Of course, as previously discussed, simply complying with this baseline is not enough. Without considering an organisation’s individual needs, it is likely that they will end up with inappropriate, ill thought-through security controls that have been put in place simply to meet arbitrary security requirements. Compliance is one part but adhering rigidly to a prescriptive set of requirements is quite another. Working with a security expert can help businesses pinpoint their own specific needs within the restrictions of legislative compliance; determining the security controls that they need and supporting them to make the right decisions.

Above all, working to implement the right security in the right places will reduce the organisational culture of ‘compliance showcasing’. Rather than scrambling to pass an annual audit or achieve the latest ISO accreditation, businesses can move away from blind legislative compliance to truly focus on the ‘why’ – helping them navigate the uncharted waters of lockdown, keep their reputation intact, and stay secure for the future.

By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at Nuance Communications.
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source Evangelist, Checkmarx.
Cybersecurity continues to be a major challenge for companies, with as many as four in ten businesses (39%) reporting cyber security breaches or attacks in the last 12 months. By Richard Slater, Head of Managed Services at Amido.