[BreachExchange] Compliancy alone won’t protect your business from cybercrime

[Destry Winant]

https://www.iol.co.za/business-report/opinion/compliancy-alone-wont-protect-your-business-from-cybercrime-19164877

Cybercrime is growing ever more prevalent and, in the wake of a year
of highly publicised hacks and malware attacks, businesses are viewing
security in a far more serious light. However, cybercrime is keeping
up with the technology curve, so can a business ever be truly safe?

The honest answer is that there is no sure-fire way to completely
protect a business from cybercrime. Hackers are incredibly motivated;
the payout on a successful hack of a large corporate, financial
platform or online shopping portal can be life-changing. Their sole
purpose is to seek out vulnerabilities and prey on them – they’re
smart and they’re good at it.

Compliancy helps

The rise in cybercrime has also brought about the introduction of
regulations around the protection of personal and financial
information. A good place to start for any organisation to secure
their environment is to adopt, embrace and comply with various
standards, such as those set out by the PCI Council.

However, even being compliant does not guarantee safety from a
security breach. Being Payment Card Industry Data Security Standard
(PCI DSS), Protection of Personal Information (PoPI) Act or General
Data Protection Regulation (GDPR) compliant certainly helps businesses
to cover the basic minimum-security requirements, but security needs
to be more comprehensive in order to offer adequate protection.

Covering the bases

Businesses are beginning to understand the risk associated with
cybercrime and are taking some steps, yet most are still unprepared
for attack. After a publicised attack, many organisations review and
update their security measures but, once complete, they fall back into
a sense of complacency and their security falls behind until the next
public incident.

It’s important for the business to continually review and update its
security strategy. Annually is not enough. Ideally, the business
should do this at least once per quarter or every time an update is
done or when technology is introduced or changed – whichever comes
first. The company can consider itself completely protected at the
time of its security assessment, however, new threats are introduced
weekly and businesses are fighting against a force whose sole focus is
to find vulnerabilities.

Compliancy covers some of the bases, requiring certain levels of
vulnerability and patch management, security awareness, security
testing, etc. Each business has its own set of unique risks, security
needs and business cycles, which need to be taken into consideration
with the security strategy. A business should adopt the approach which
best suits its unique requirements.

Understand the risks

Moreover, the businesses should ensure it performs a proper risk
analysis. Everything a business does, from putting processes in place
to adopting technology, is typically associated to some sort of risk
which drives a business’s activities around how to protect themselves
from risk.

In order to protect against cybercrime, the business need to
understand its unique risks, as well as how to prioritise and mitigate
them. Perhaps more importantly, there should also be a plan in place
for how to deal with those risks should they occur.

Use a professional

Unless an organisation is in the security or cybersecurity business,
it’s likely that they aren’t experts on security.  A knowledgeable
information security team should therefore be hired, or this function
should be outsourced to an information security specialist. By doing
so, it will help guide the business in understanding its environment,
how to protect it, and how to handle any incident that occurs.

If a team is hired or a company outsourced, they should be held
responsible for the security strategy of the business and should
collaborate with the business – or other business departments – to
ensure the strategy is holistic and covers every possible risk. In
addition to this, the team or company will also responsible for
updating their security strategy, implementing it and testing it
regularly to ensure it works.

Implement best practices

Many businesses adopt some form of security best practice depending on
the industry. However, these best practices may not be comprehensive
enough to mitigate all the risks. It’s better for a business to align
itself with a particular established standard which provides security
posture metrics against which maturity levels can be measured.

There are several models and frameworks available which businesses can
build strategies around in order to ensure security is constant ahead
of the maturity curve and that the business is protected as best as
possible.

Comprehensive security strategy

Part of any security strategy is having well-defined comprehensive
security, compliance and risk programs in place. These need to be tied
together, driven by professionals and measured against the relevant
maturity standards.

It’s true that, on their own, security, risk and compliance programmes
individually help organisations to protect against cyber threats.
However, combined and with regular review, testing and updating, they
give businesses the best chance of staying a step ahead of hackers.