Cybersecurity Compliance – Is it still Valuable for Your Business?

Sep 23, 2022
Cybersecurity | 5 min READ
    
This article was originally published in ET CIO - Source link
Modern challenges require modern approaches. Compliance has to move beyond policies and procedures to enterprise-wide initiatives. Security must move beyond the historical requirements of keeping enterprises safe and compliant with regulatory requirements to become a strategic enabler for businesses to improve customer satisfaction, drive innovation and growth, and reduce costs.
Sanjeev Singh
Sanjeev Singh

Chief Information Security Officer (CISO) and Data Protection Officer (DPO)

Birlasoft

 
CERT India, in their recent report, observed a 51% increase in ransomware attacks within the first half of 2022 as compared to last year, targeting sectors such as IT, Manufacturing and Finance, amongst others.
This is not surprising and correlates to other similar reports such as the Sophos State of Ransomware Report 2022, which saw 78% of sampled enterprises in India hit by ransomware, with the average cost of remediation estimated at $2.81 million per attack. The IBM's Cost of Data Breach Report 2022 reveals a similar $2.32 million cost per breach in India, up from $2.21 million in 2021 and identifies compliance failures as one of the primary reasons affecting the cost of a data breach.
The increasing number of cyber-attacks and the increasing cost of data breaches have made information privacy and security a significant concern for businesses in the present-day data-driven world. Yet one could argue that many enterprises successfully breached complied with industry standards. In such a case, so does compliance still add value?
Compliance provides great value for businesses starting their cyber security journey or those wishing to improve their maturity. It offers significant business value by guiding to implement best practices, processes and controls. Here are some of the key benefits of security compliance for your business:
 
Stay Ahead
Visit our Cybersecurity Compliance Automation page
  • Building Trust and Reputation: Compliance with leading industry standards and regulations demonstrates an enterprise's commitment to safeguarding its business and customer data. This builds trust in your brand and indirectly assists in business growth. A single data breach can result in catastrophic reputation loss.
  • Improved Accountability: Standards and regulations require enterprises to implement processes to assign senior-level accountability for strategic cyber security risk management. They also guide access control mechanisms to protect data and resources across the environment by implementing frameworks and controls for enterprise-wide risk management.
  • Improved Data Protection: Most privacy and data protection regulations focus on three key areas; (i) obtaining consent from the perspective of the end user; (ii) how long you retain the data; and (iii) how the data is being used? An enterprise implementing controls to comply with these regulations will have to enhance its data management capabilities, including data discovery, data labeling, data retention and data loss protection. These controls not only enhance privacy protections but also improves operational efficiencies.
  • Improved Security: Standards and regulations provide guidelines on what administrative and technical controls to implement.
     
    For example, the current ISO 27001 specifies 114 security controls divided into 14 control sets, which will change to 93 controls across four themes in the ISO 27001:2022 release. Enterprises implementing these controls are sure to benefit from it.
  • Consistency: For most compliance standards or regulations, a compliant enterprise undergoes audits, certifications or recertifications annually. This helps maintain a minimum baseline level of security and helps align the focus of senior leadership as well as IT and Infosec teams to these requirements.
  • Consistency: For most compliance standards or regulations, a compliant enterprise undergoes audits, certifications or recertifications annually. This helps maintain a minimum baseline level of security and helps align the focus of senior leadership as well as IT and Infosec teams to these requirements.
  • Avoiding Fines or Penalties: Failure to comply with laws or regulations could result in heavy fines, especially if the regulations involved are HIPPA, GDPR, CCPA, etc. These fines could be as much as 4% of global revenue or $200 million in case of GDPR non-compliance. The ability to demonstrate due care, due diligence and compliance can potentially lower the fines in the case of a data breach.
  • Log Management and Monitoring: Most standards and regulations require enterprises to monitor for security or data breaches. This brings great visibility into activities across the landscape and empowers security teams to detect potential malicious activities as they occur.
    Centralized logs also allow security teams to search for evidence of compromise post-incident or conduct proactive threat hunting pre-incident.
     
  • Incident Management: Despite all the controls, there is no guarantee of 100% safety. Security compliance provides a consistent and effective approach to managing information security incidents, including communications regarding security events and weaknesses.
Compliance plays a crucial role in implementing robust security and privacy program and provides the necessary guidance on what to do. However, compliances are not much of help in determining how to do it. One may be compliant and yet vulnerable to a cyber-attack; this is quite apparent when we see successful attacks against some of the leading public and private enterprises.
Compliance, by itself, is not adequate. Implementing the controls and applying them well is crucial. Compliance should not be treated as a static initiative and should never be thought of as something an enterprise can 'implement and forget.' As enterprises mature in their cyber defense, they would realize that the annual certifications against these compliance standards may no longer be adequate. Moreover, the global regulatory environment is also evolving rapidly and becoming more intensive, with higher expectations, leading to more granular and prescriptive guidance and enforcement actions. Over 80 countries globally have enacted privacy laws and any business operating in or processing data of subjects belonging to those countries must abide by them.
Modern challenges require modern approaches. Compliance has to move beyond policies and procedures to enterprise-wide initiatives. Security must move beyond the historical requirements of keeping enterprises safe and compliant with regulatory requirements to become a strategic enabler for businesses to improve customer satisfaction, drive innovation and growth, and reduce costs.
Enterprises must move away from the tick-in-the-box approach to imbibe compliances in letter and spirit by investing in the right team and tools to manage this complex and evolving environment. One way to achieve this would be through security and compliance automation that allows continuous visibility and continuous compliance through automated discovery and response workflows.
 
 
Was this article helpful?