Compliancy alone won't protect your business from cybercrime
Cybercrime is growing ever more prevalent and, in the wake of a year of highly publicised hacks and malware attacks, businesses are viewing security in a far more serious light. However, cybercrime is keeping up with the technology curve, so can a business ever be truly safe?
The honest answer is that there is no sure-fire way to completely protect a business from cybercrime. Hackers are incredibly motivated; the payout on a successful hack of a large corporate, financial platform or online shopping portal can be life-changing. Their sole purpose is to seek out vulnerabilities and prey on them – they’re smart and they’re good at it.
The rise in cybercrime has also brought about the introduction of regulations around the protection of personal and financial information. A good place to start for any organisation to secure their environment is to adopt, embrace and comply with various standards, such as those set out by the PCI Council.
However, even being compliant does not guarantee safety from a security breach. Being Payment Card Industry Data Security Standard (PCI DSS), Protection of Personal Information (PoPI) Act or General Data Protection Regulation (GDPR) compliant certainly helps businesses to cover the basic minimum-security requirements, but security needs to be more comprehensive in order to offer adequate protection.
Covering the bases
Businesses are beginning to understand the risk associated with cybercrime and are taking some steps, yet most are still unprepared for attack. After a publicised attack, many organisations review and update their security measures but, once complete, they fall back into a sense of complacency and their security falls behind until the next public incident.
It’s important for the business to continually review and update its security strategy. Annually is not enough. Ideally, the business should do this at least once per quarter or every time an update is done or when technology is introduced or changed – whichever comes first. The company can consider itself completely protected at the time of its security assessment, however, new threats are introduced weekly and businesses are fighting against a force whose sole focus is to find vulnerabilities.
Compliancy covers some of the bases, requiring certain levels of vulnerability and patch management, security awareness, security testing, etc. Each business has its own set of unique risks, security needs and business cycles, which need to be taken into consideration with the security strategy. A business should adopt the approach which best suits its unique requirements.
Understand the risks
Moreover, the businesses should ensure it performs a proper risk analysis. Everything a business does, from putting processes in place to adopting technology, is typically associated to some sort of risk which drives a business’s activities around how to protect themselves from risk.
In order to protect against cybercrime, the business need to understand its unique risks, as well as how to prioritise and mitigate them. Perhaps more importantly, there should also be a plan in place for how to deal with those risks should they occur.
Use a professional
Unless an organisation is in the security or cybersecurity business, it’s likely that they aren’t experts on security. A knowledgeable information security team should therefore be hired, or this function should be outsourced to an information security specialist. By doing so, it will help guide the business in understanding its environment, how to protect it, and how to handle any incident that occurs.
If a team is hired or a company outsourced, they should be held responsible for the security strategy of the business and should collaborate with the business – or other business departments – to ensure the strategy is holistic and covers every possible risk. In addition to this, the team or company will also responsible for updating their security strategy, implementing it and testing it regularly to ensure it works.
Implement best practices
Many businesses adopt some form of security best practice depending on the industry. However, these best practices may not be comprehensive enough to mitigate all the risks. It’s better for a business to align itself with a particular established standard which provides security posture metrics against which maturity levels can be measured.
There are several models and frameworks available which businesses can build strategies around in order to ensure security is constant ahead of the maturity curve and that the business is protected as best as possible.
Comprehensive security strategy
Part of any security strategy is having well-defined comprehensive security, compliance and risk programs in place. These need to be tied together, driven by professionals and measured against the relevant maturity standards.
It’s true that, on their own, security, risk and compliance programmes individually help organisations to protect against cyber threats. However, combined and with regular review, testing and updating, they give businesses the best chance of staying a step ahead of hackers.
Simeon Tassev is managing director and qualified security assessor at Galix Networking.
WATCH: Cybersecurity: Small Business, Big Threat