The adoption of cloud computing (opens in new tab) and the move to digital transformation (opens in new tab) should be a generally positive story. Yet it’s becoming common place nowadays to wake up to headlines showing breached companies exposing billions of records of personal data. The worrying news is that these attacks often target industry-leading organisations that were compliant with government legislation, from the likes of British Airways to Marriott Hotels: their status demands compliance.
And in the GDPR (opens in new tab) world, we’d assume such occurrences would be on the path to extinction: after all, the hefty fines and loss of customer confidence should be big enough motivators for brands to make protecting their data and assets a priority and go beyond compliance.
While it can be tempting to think that following the letter of the law is sufficient to secure an organisation against external threats and malicious actors, it’s not actually the case in practice. Focusing only on basic regulatory standards can have some serious shortcomings: compliance only represents the minimum level of acceptable cybersecurity. Achieving it does not make a business secure.
In the battle against cybercrime, organisations across the globe must move beyond compliance by imposing higher cybersecurity (opens in new tab) standards on themselves. They must consider the people, processes and systems in their complex environments.
Compliance isn’t the panacea
Treating compliance as a security endgame is a dangerous position for businesses, primarily because it doesn’t cover everything. Most industries and sectors will have their own forms of compliance which means that levels of protection can differ wildly depending on the industry. As a result, a compliant retail business will most likely not be as secure as a compliant healthcare company.
Compliance can also lead to complacency. A compliant business might be quick to think that all its security issues are resolved and that the business is protected, without considering that the law is often slower to react, compared to hackers developing new attacks. Law is mostly reactive rather than proactive, meaning it will always be one step behind hackers – so while a business might be compliant, it doesn’t mean it’s secure.
Some have even argued that compliance itself is the problem: treating regulations as a checklist fails to address their intended purpose as a robust safeguard. As regulations are seen as a realistic expectation of what companies can and should do to protect their customers’ data and their own operations, they are not as stringent as needed – governments can’t demand too much or they risk resistance. As a result, regulations may become less effective as the threat landscape evolves.
Compliance as a base line
Going beyond compliance from a security point of view is about doing more than the regulations say. Legislation and regulations serve an essential role in cybersecurity, but they should be viewed as the base line and the bare minimum that companies must adhere to.
Companies need to go beyond this if they want to be ‘secure by design’ and provide an operating environment that establishes a culture of security within the heart of the organisation. At present, it’s estimated that as much as 90% of data breaches are caused by human error, meaning that almost anyone in the workforce can expose the business to data loss and eye-watering fines for infringing regulations such as the GDPR.
From losing laptops (opens in new tab) to accidentally clicking on phishing emails – employees are often thought of as the weakest link of a business when it comes to security. To remedy this, it’s imperative that we change our approach to helping our teams understand what security behaviors we require of them and that all protocols are documented and committed to company law. To do this well requires rethinking the traditional ‘show and tell’ approach to cybersecurity training (opens in new tab).
Future-proofing your cybersecurity strategy
Although it’s rare that such far-reaching pieces of legislation such as the GDPR are created, the pace of change in the digital world means these will be increasingly common. For example, many countries are adopting the GDPR as a model for changes in their own approach to Data Security, and the new ePrivacy Regulation will be with us imminently. Putting it simply, it will soon become a headache for companies who are constantly reacting to these laws, rather than anticipating them and proactively going above and beyond in all aspects of cybersecurity.
By implementing cybersecurity strategies that go further than the standard requirements of regulation compliance, businesses will not only continue to meet upcoming legislation head-on but stay one step ahead when it comes to securing their customers’ data and own operations.
- Gary Hibbard, Director, Cyberfort Group (opens in new tab).
- We've featured the best endpoint protection software (opens in new tab).