Compliance should be an essential part of business operations, regardless of industry. Taking preventative measures to manage compliance and mitigate risk can feel like a hassle upfront, but it can save your organisation huge costs in the long run. Compliance violations can result in fines, penalties, lawsuits, loss of reputation, and more. However, your efforts should not stop at obtaining a compliance certificate, rather they should expand to accelerate your cybersecurity posture.
Compliance frameworks to pay attention to
If you are operating in the UK, getting the Cyber Essentials accreditation is a great way to reassure your customers that you are taking all required precautions to secure your IT and their data against cyber-attacks. In addition, the certification allows you to attract new business opportunities since you are demonstrating a sound cybersecurity posture that builds on your brand name and trust. Finally, some UK government contracts even require that contractors obtain the Cyber Essentials certification.
Further, the ISO 27001 standard is designed to function as a framework for an organisation's information security management system (ISMS). The goal of ISO 27001 is to provide a framework of standards for how a modern organisation should manage their information and data. Risk management is a key part of ISO 27001, ensuring that a company or non-profit understands where its strengths and weaknesses lie. ISO maturity is a sign of a secure, reliable organisation that can be trusted with data.
Simultaneously, organisations don’t want to get saddled with non-compliance penalties from regulators. These can be high depending on the standard set or framework with which they’re non-compliant. For example, non-compliance with European Union’s General Data Protection Regulation (GDPR) could incur a fine of 10 million Euros or 2% of global turnover (whichever is greater) for offences relating to child consent and transparency of communication, among other issues. That amount jumps to 20 million Euros or 4% of global turnover (whichever is greater) for slipups involving responsibilities like data processing, data subject rights, and transferring data to a third party.
Investing only in compliance opens the door to attacks
The common denominator behind all compliance regulations and standards is that organisations should practice basic cyber hygiene measures. In many cases, this comes down to truly basic elements that are too often overlooked. And here lies the real problem.
Many organisations consider compliance as a checklist exercise and fail to look further to realise that meeting and maintaining regulatory adherence is only a first step towards a strong cybersecurity posture. Hence, organisations are eager to fund compliance projects to avoid paying the fines and forget to further invest in building infrastructure, establishing processes, and empowering people to become resilient against advanced cyber-attacks.
As a result, they remain vulnerable even to known attack vectors. Take for example authentication and access management. Many organisations deploy multifactor authentication only to protect privileged accounts or cloud-based apps. Criminals are aware of this wide-open door, and they successfully target other employees and services to gain access to corporate networks.
Although compliance is important, a strong cybersecurity posture is critical. “Within organisations’ budgetary boundaries, companies have to defend and protect against attacks while they also seek to comply with complex regulations,” underscores the World Economic Forum.
“Policymakers, thus, need to weigh their decisions with this impact in mind. Individual regulations may have similar intent, but multiple policies add complexity for businesses that need to comply with all regulations, and this complexity introduces its challenges to cybersecurity and data protection, not always improving them. Policies must be creative in increasing protection while decreasing regulatory complexity,” WEF concludes.
Securing budget for cybersecurity projects
It all comes down to changing mindset about cybersecurity. “You have to change the conversation and make it about adding value. The challenge is that cybersecurity is often seen as a cost centre or something that slows down innovation or business processes. But if we can change the narrative, then securing the budget won’t be such a challenge,” says Garry Hibberd, Professor of Communicating Cyber.
Changing narrative means talking the language that executives understand – money, cost savings, profit, return on investment. “Focusing on the people around the Boardroom table and what they are trying to achieve, we can reframe what we do to support and help them. The CFO typically wants to save money, so show how spending on cybersecurity can be better targeted. The CEO will want to increase market value, so show them how good cybersecurity can protect brand reputation. The Sales Director will want to increase sales, so show them how they can use cybersecurity as a business differentiator and a competitive advantage,” explains Hibberd.
Securing budgets for cybersecurity projects is more than just talking about risk. It is about having (and developing) communication skills – being able to align cybersecurity benefits to business goals. “We must become better communicators of the benefits of what we do,” he concludes.
Six tips for cybersecurity excellence
The best way forward for organisations is to move to a stronger cybersecurity position and then use this foundation to meet their cybersecurity goals as well as their compliance obligations. They can do this by following these recommendations:
- Think cybersecurity first. This will help as compliance standards only get tighter. If you have a cybersecurity start point, you can cover much of the evolution of the tightening of regulations.
- Change your mindset from reactive to proactive. Budget must be found if there is a cybersecurity issue such as a breach. Whatever this price tag ends up being, it will be several times more than if organisations had initially invested in preventing an incident from occurring in the first place. With that in mind, getting stakeholders to think about cybersecurity proactively is critical. This can be done by talking about cybersecurity issues in terms of business risk, keeping cybersecurity as a continuous topic, etc.
- Use your compliance data to bolster security. If you are collecting data to be compliant, don’t just sit on it. Use it to help your cybersecurity efforts. It will be a relatively small add on of resources ultimately.
- Encourage cybersecurity training and awareness. Getting the right mindset in staff will reduce the chances of issues arising in the first place. Plus, you have many sets of eyes on the potential risks rather than just those with cybersecurity in their job titles.
- Develop a disaster plan. Engaging with your stakeholders in creating a disaster plan will help them become more aware of the risks and costs of incidents such as data breaches. It will also encourage them to consider what the organisation can do proactively to prevent these types of events from happening.
- Realise that you don’t need to go it alone. You can use trusted security tools to monitor the risk landscape as it relates to your organisation. If you lack the internal expertise necessary for using these security tools, you can outsource your program.
Want to learn more? Download our whitepaper to explore the gap between cybersecurity and compliance and read about how others in the industry are overcoming some of these challenges.