With the losses associated to cybercrime expected to hit around $6 trillion by 2021, security has become a top priority of many businesses. These companies diligently implement compliance initiatives in hopes that they can ensure security within their organisations. But here’s the thing: achieving compliance doesn’t necessarily mean that your business is fundamentally secure.
Last year, Verizon published a report that revealed a major eye-opener regarding compliance. According to that report, 45% of PCI DSS certified customers needed remediation. Meaning that these businesses still needed to improve their security controls in order to be considered secure as per PCI DSS.
It’s important to note that these businesses actually already passed a previous compliance audit. In fact, they were certified to be fully PCI DSS compliant. In other words, they had already spent a considerable amount of time, attention, and money establishing IT security controls that met PCI DSS requirements.
What happened?
A false sense of security from regulatory compliance checklists
Having ticked all boxes in their regulatory requirements checklist and, in turn, receiving validation from auditors, some companies have a false sense of perpetual security. That can be dangerous because the state of being compliant (and in turn being secure) can be temporary and even fleeting.
In fact, your level of security will be at its apex just before and during a compliance audit. But after that, it usually goes downhill.
After passing a compliance audit, some organisations become complacent and slowly (inadvertently or intentionally) weaken their controls. They might forget patching or updating operating systems, applications, and perhaps even IT security solutions. End users might circumvent security policies for convenience purposes, at which time, threat actors can develop and discover new ways of breaking into systems (e.g. through zero-day vulnerabilities).
As a result, the risk of a data breach increases with time. Depending on the regulation, the next audit (and its preceding compliance activities) might not arrive until after a year or two. In the meantime, threats and vulnerabilities spawn almost on a daily basis. So, as you move further from the compliance audit, the chances of suffering from a cyber security incident increases.
Compliance needs to be an offshoot of security
Compliance needs to be an offshoot of security, not the other way around. If your only basis for achieving security is a certificate of compliance, you risk getting complacent after receiving that certificate. Besides, compliance checklists are sometimes not prescriptive enough. Either that or they may include prescriptions that businesses (who are only focused on passing an audit) can easily take advantage of.
Let me give you a concrete example. In PCI DSS Requirement 6.6, it says,
For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications, to continually check all traffic.
So, if your organisation simply conducts a review of public-facing web applications once a year, you can already achieve compliance. That doesn’t mean you’re already secure though. What if, a week after your review, cyber security specialists discover and exploit a vulnerability that affects those same web applications? That means you’ll be having an unplugged vulnerability for the remaining 51 weeks.
The better way would be to adopt a security culture that:
- Enjoins all stakeholders (employees, managers, executives, board members, etc) to embrace a security mindset;
- Exceeds the specifications of a compliance checklist; and
- Keeps you compliant every single day, in every way after a compliance audit;
Don’t get me wrong. Compliance is still very important. You can use that compliance checklist as a guide and baseline for IT security. But because it’s a baseline, that means you may need to do more.
Next steps
There’s absolutely nothing wrong with striving for compliance or being passionate about it. However, we shouldn’t simply stop at completing checklists or passing regulatory audits. More than achieving compliance, establishing security in the IT framework should be the ultimate goal. Once IT security becomes interwoven into the fabric of your organisation, compliance can be maintained the whole year round, not simply achieved at a point in time.
Adopting a security culture is easier said than done. What if you don’t have the in-house expertise/talent to spearhead such an endeavor? Most small and medium-sized businesses certainly don’t have that privilege. Your preferred option is to partner with a reputable IT firm who can help you cultivate the culture you need to establish. We can help you with this strategy.