Actions Speak Louder Than Compliance: Why being "good enough" is bad for cyber security
16 August 2017 14:41
There's a big difference between ticking the cyber security compliance box and truly being invested in cyber security. Simply put, compliance is the bare minimum needed to protect your business. Here, we cover some of the main limitations of being "good enough".
In many cases, compliance is like a blanket that offers a level of immediate protection from the freezing weather, giving us an instant feeling of warmth and safety. But ultimately, it can’t address the underlying threat of us freezing to death.
And that (pretty blunt) analogy is a very familiar feeling in the world of cyber security.
Compliance helps organisations recognise and implement the fundamentals, giving us a checklist of what we know how to cover. But what about the other threats? After all, the biggest risk to your business is no longer the outside attackers -- it’s hard-working, trusted employees within your ranks (over 90% of all cyber attacks are caused by or contain human error).
So what other ways does ticking the box fail to, well, tick the box? Here are some of the main ones that we find when speaking to IT leaders day in and day out.
Compliance standards are the bare minimum demanded from your industry
Think of it this way: If you were in charge of keeping a bank secure, would you use the cheapest locks available to secure your vault? Would you implement the lowest standards of cameras, and the lowest numbers of guards needed?
Cyber security compliance is the bare minimum to protecting your customers, clients and workforce. It should never be used as a complete blueprint for your organisation’s security -- as most of the standards are, in reality, far lower than what’s actually available to you.
Compliance regulations can’t keep up with all the new threats
New attack vectors are coming alive every single day. Add that to the fact of compliance regulations taking some time to implement, then you’re ultimately never going to be adequately secure.
That’s why, in many cases, being ‘compliant’ means that you’ve met what was the lowest standard of security. You’ve learned and adjusted to the events that have happened in the past year, but now you're there with sweaty palms looking at what’s to come in the future.
Educational needs aren’t adequately covered by compliance policies
Just like we touched on earlier, employees are the biggest risk to your organisation. Cyber criminals are targeting the human side of businesses more and more -- and they’re reaping the rewards. Other than just jotting policies down in a notebook, flipping the page, then revisiting them in time for the next review, policies need to be constantly adjusted and monitored.
Employees need to be trained and frequently reminded to:
- Lockdown machines whenever they’re away from them -- as a matter of habit, not just because they know that there’s an inspector around
- Know the difference between a “safe” link and one that they shouldn’t click on
- Avoid giving away vital information, from their username and password to private information
- Spot phishing emails and other common scams
- Craft an effective password and maintain strong password hygiene throughout their employment
Read Next: Does Security Awareness Training Even Work?