In a world awash in data, cybersecurity risk is universal. But compliance comes at a cost. It’s not something that can be solved with a checklist, nor is it the chief information security officer’s sole responsibility. To be successful, every organisation needs to be both compliant and cybersecure. How does a business know what security measures to put in place when there’s an exhaustive amount of global and local compliance requirements?
Most compliance processes are common sense, but not necessarily commonly addressed, usually because technology teams are too busy.Mari-Louise Conradie, Port443
According to IBM research, most organisations have to comply with 13 security or privacy regulations, which will need at least 22 employees to manage.
In order to ensure compliance with the regulations and industry standards for data protection and asset security, there are a number of best practice frameworks that companies can follow, including ISO27001, SOC2 Compliance and configurations of cybersecurity controls according to NIST, PCI and CIS best practices.
“Most compliance processes are common sense, but not necessarily commonly addressed, usually because technology teams are too busy,” says Mari-Louise Conradie, the co-founder and director of Port443. “Often, the most time-consuming part of compliance is monitoring the current status of vast security estates, so that people can focus on finding and remediating vulnerabilities by running firmware updates, for instance.”
Conradie says that current and past employees, business partners, contractors, suppliers or vendors with access to a company’s IT infrastructure all pose a potential threat. “Negligent insiders cause the majority of incidents, often due to not upgrading software or following a rigorous patching process, ignoring company security policies and other non-malicious, but ultimately destructive actions,” she says.
Public cloud remains a concern among risk and compliance departments, with 95% of organisations saying they are “moderately to extremely concerned” about cloud security, according to the Cybersecurity Insiders’ Cloud Security Report from 2023. Over 70% of respondents use two or more cloud providers, and say that barriers to adoption are mostly people- and process-related, rather than technology-focused. The lack of cybersecurity staff expertise and training (53%) remains the highest barrier, while 30% said legal and regulatory compliance issues were a concern.
Because technology teams often simply don’t have the time to do audits, many have little choice but to rely on a “set-and-forget” approach.
Let’s get phygital
“The devil is in the details, in keeping the details correct and compliant,” Conradie says. Today, the convergence of digital and physical security is also affecting risk management strategies. “When physical security is breached, it can lead to a compromise of digital security. It could be as simple as leaving a laptop unlocked, allowing an unauthorised person to gain access. Ensuring physical and digital security are monitored and constantly hardened is imperative.”
Kevin Halkerd, e4’s risk and compliance manager, says that a large password solutions vendor failed to account for a key staff member’s online digital identities enumerating their physical homes and associated vulnerable devices, which led to a very serious breach.
Being compliant isn’t necessarily the same as being secure. Compliance by itself doesn’t replace effective cybersecurity or having a framework for identity and access management. “All of them boil down to the details behind one principle – least privilege access,” says Conradie. “Review and update employee access regularly and make sure access is revoked when people leave or a relationship with another business is terminated. Continuously monitor all security controls for alerts and have a response process in place.”
It may also be worth engaging a privileged access management vendor, which will help in monitoring access to your networks.
Halkerd believes that companies need to face up to risks.
“Risk is often translated as wholly adverse in nature and should always be avoided in discussions, and this only has remedy in senior leadership,” he says.
Conradie recommends putting a governance and risk committee in place where cyber and physical security risk registers are reviewed regularly and in tandem. “The operational processes [such as onboarding and offboarding of personnel] and an integrated security operations centre [where alerts for both physical and digital security are monitored] should be communicated at the committee meetings.”
* Article first published on brainstorm.itweb.co.za