Compliancy alone won't protect your business from cyber crime
By Simeon Tassev, Managing Director and Qualified Security Assessor at Galix Networking.
Cyber crime is growing ever more prevalent and, in the wake of a year of highly publicised hacks and malware attacks, businesses are viewing security in a far more serious light. However, cyber crime is keeping up with the technology curve, so can a business ever be truly safe?
The honest answer is that there is no sure-fire way to completely protect a business from cyber crime. Hackers are incredibly motivated; the pay out on a successful hack of a large corporate, financial platform or online shopping portal can be life-changing. Their sole purpose is to seek out vulnerabilities and prey on them - they're smart and they're good at it.
The rise in cyber crime has also brought about the introduction of regulations around the protection of personal and financial information. A good place to start for any organisation to secure its environment is to adopt, embrace and comply with various standards, such as those set out by the PCI Council.
However, even being compliant does not guarantee safety from a security breach. Being Payment Card Industry Data Security Standard (PCI DSS), Protection of Personal Information (POPI) Act or General Data Protection Regulation (GDPR) compliant certainly helps businesses to cover the basic minimum-security requirements, but security needs to be more comprehensive in order to offer adequate protection.
Covering the bases
Businesses are beginning to understand the risk associated with cyber crime and are taking some steps, yet most are still unprepared for attack. After a publicised attack, many organisations review and update their security measures but, once complete, they fall back into a sense of complacency and their security falls behind until the next public incident.
It's important for the business to continually review and update its security strategy. Annually is not enough. Ideally, the business should do this at least once per quarter or every time an update is done or when technology is introduced or changed - whichever comes first. The company can consider itself completely protected at the time of its security assessment; however, new threats are introduced weekly and businesses are fighting against a force whose sole focus is to find vulnerabilities.
Compliancy covers some of the bases, requiring certain levels of vulnerability and patch management, security awareness, security testing, etc. Each business has its own set of unique risks, security needs and business cycles, which need to be taken into consideration with the security strategy. A business should adopt the approach which best suits its unique requirements.
Understand the risks
Moreover, the businesses should ensure it performs a proper risk analysis. Everything a business does, from putting processes in place to adopting technology, is typically associated to some sort of risk which drives a business's activities around how to protect itself from risk.
In order to protect against cyber crime, the business need to understand its unique risks, as well as how to prioritise and mitigate them. Perhaps more importantly, there should also be a plan in place for how to deal with those risks should they occur.
Use a professional
Unless an organisation is in the security or cyber security business, it's likely it isn't an expert on security. A knowledgeable information security team should therefore be hired, or this function should be outsourced to an information security specialist. By doing so, it will help guide the business in understanding its environment, how to protect it, and how to handle any incident that occurs.
If a team is hired or a company outsourced, they should be held responsible for the security strategy of the business and should collaborate with the business - or other business departments - to ensure the strategy is holistic and covers every possible risk. In addition to this, the team or company will be responsible for updating security strategy, implementing it and testing it regularly to ensure it works.
Implement best practices
Many businesses adopt some form of security best practice depending on the industry. However, these best practices may not be comprehensive enough to mitigate all the risks. It's better for a business to align itself with a particular established standard which provides security posture metrics against which maturity levels can be measured.
There are several models and frameworks available which businesses can build strategies around in order to ensure security is constantly ahead of the maturity curve and that the business is protected as best as possible.
Comprehensive security strategy
Part of any security strategy is having well-defined comprehensive security, compliance and risk programmes in place. These need to be tied together, driven by professionals and measured against the relevant maturity standards.
It's true that, on their own, security, risk and compliance programmes individually help organisations to protect against cyber threats. However, combined with regular review, testing and updating, they give businesses the best chance of staying a step ahead of hackers.