Going beyond cyber security compliance
About this blog:
Today’s businesses are under siege, day and night, from a threat which lies in the shadows of their IT networks and supply chains. Cyber-attacks have become one of the biggest threats for modern organisations, however this does not mean that businesses are powerless. The constant threat means businesses need a consistent approach to monitoring and mitigating cyber-attacks.
A false sense of security
There is no doubt that businesses are more aware of cyber security risks in 2019 and are taking some measures to safeguard their systems- the question remains, however, is this enough?
There have been some notable attacks over the past few years that have impacted companies as diverse as Tesco to Facebook and the past decade has seen a raft of regulations and policies come into place, most notably GDPR.
These policies are designed to ‘encourage’ businesses to increase protection around their systems. As a result, companies are investing large amounts of time and money to secure adherence and to ensure that they are best equipped to protect themselves from the increasingly sophisticated and regular threat of cyber attacks.
However, the sheer number of these regulations have led some into a false sense of security. Understandably the number of steps and effort needed to ensure compliance to most regulations is significant. However, after securing adherence many companies sit back, happy that they have ticked all the boxes needed to remain secure.
It is essential that businesses are not only implementing solutions for the sake of compliance. To maintain a consistent cyber strategy, businesses need to transform their culture around cyber risk, ensuring that each person and process within the organisation is alert and prepared for threats.
Supply chain risks
The risk of an attack through a company’s supply chain has never been higher. Due to a boom in the open source economy, the majority of organisations now also outsource their software and hardware which increases their cyber vulnerability. Ideally, each device and application should first be vetted and then continually monitored for security risks, with patches consistently updated. Yet often this is not the case. Equifax is one such example of an organisation who suffered a large-scale breach in 2017 due to a vulnerability in its open source Apache Struts software, according to USA Today.
As a result, we have seen the ICO fine Equifax £500,000 for the failure to protect the personal data of 146 million people globally. If the attack was to take place today, in this new era of GDPR, the fine could have been €20 million or four percent of its annual turnover.
Proactive and not reactive
One might think that over the years of hacks and resulting regulations, most of the holes would now be closed and that organisations would be ready for even the most sophisticated attacks.
Unfortunately, the reverse is true. Hackers are constantly evolving their techniques which means companies must evolve their defences too and remain proactive in their defensive strategy. Sitting behind the wall you have built in order to secure compliance is no longer an acceptable method of defence. Hackers will always be one step ahead, so working continuously on your cyber-security strategy is a must if you are to remain not only compliant, but also secure.
Cyber security awareness at every level
Education is also a key aspect. The old adage that a company’s weakest point is its employees remains true. Many employees are simply unaware of the potential vulnerabilities in their everyday IT tasks. Open conversations within companies around these threats will highlight what these threats look like and help employees to be alert and attentive. Educating your employees is crucial, but companies should not forget another area of weakness -their supply chain. Access to systems and infrastructure through partners is common and ensuring that these access routes are secure is a crucial, but often overlooked aspect of cyber-security.
The full picture
Ultimately, organisations need to look at a solution that has the capabilities to map an entire ecosystem, offering them a 360° view of cyber risks that an organisation could potentially face.
This enables businesses to work collaboratively and openly within third- and fourth-party digital ecosystems with quantifiable and measurable cyber risk intelligence, allowing them to quickly and efficiently meet internal and external cyber risk compliance and governance requirements.
By using dashboards that provides a real-time ‘always on’ approach, it gives a holistic view of cyber security across enterprise and third-party supply chains. With a centralised exchange platform, organisations both up and down stream can safely and easily share cyber risk-related data.
A 360° solution produces a compound network effect through mapping the enterprise’s ecosystem of partners and suppliers. It also enables benchmarking against the cyber risk positions of industry peers and provides visibility of your enterprise’s cyber risk performance compared to the industry average. Having forensic data insights for security and risk gap analysis will further help to improve cyber risk posture.
Using a solution that looks for the latest threats across entire enterprise ecosystems, knowing where those threats are coming from, whether its supply chain or internally and also what they look like, is vital. Ensuring that your entire team are educated in what these threats look like and how to deal with them and having the processes in place that allow you to deal with them remain the basic, yet crucial elements to an effective cybersecurity.