Why cyber security and regulatory compliance are one and the same
- Published: Wednesday, 20 October 2021 09:10
Cyber security and regulatory compliance have long been considered two largely separate issues, but the time has come to break them out of their silos and manage them together. This approach brings many advantages says Maciej Dziergwa.
In all industries, cyber security and regulatory compliance are vital parts of business that leaders must keep a close eye on. Both of which present a set of diverse, rapidly evolving challenges.
In the world of cyber security, stories of data breaches and ransomware attacks are seemingly commonplace. Alongside this, businesses working in industries such as technology, finance, and healthcare are faced with an ever-growing list of regulations to adhere to.
Cyber security and regulatory compliance have long been considered two largely separate issues. Regulatory compliance involves following a set of tangible and distinct guidelines and ensuring the company meets deadlines for new rules. In contrast, cyber security largely involves preparing for the unknown and future challenges that may face a business.
As a result, regulatory compliance is often prioritised over cyber security because it is seen as more urgent. Adopting this approach is misguided as a lack of adequate preparation for cyber attacks can lead to all manner of compliance issues in the future.
As the challenges facing leaders continue to mount, businesses need to remodel their approach, and consider both cyber security and compliance as being two sides of the same coin.
Compliance is vital
Adhering to compliance regulations can often be a hugely complex process, especially if a company operates in a heavily regulated industry. One of the most famous examples from recent history is GDPR, and since its introduction in 2018, many organizations have fallen foul of the regulations in some way.
But GDPR is just one of many regulatory frameworks. The financial sector is governed by requirements such as MiFID II and MiFIR; retailers must conform to guidelines of responsible practice set out by Trading Standards; and all UK businesses must ensure they follow rules of fair competition set out by the Competition and Markets Authority.
Regulation needs to be managed very carefully. This is why business leaders take the decision to dedicate a significant portion of their resources to staying compliant and abreast of any impending new rules.
However, this should not be done to the detriment of cyber security.
Increasing cyber threats
Although cyber attacks have afflicted businesses and individuals for many years, recent attempts to compromise sensitive data has reached new levels of intensity. According to an annual survey from Sophos, 37 percent of businesses were hit by a ransomware attack in 2021.
Among these was a string of high profile and wide-reaching attacks such as that on Kaseya in July 2021. The attack affected between 800 and 1,500 businesses around the world, while other attacks such as that on Colonial Pipeline in May were specifically targeted on critical infrastructure in the United States. Groups such as REvil and Conti have also garnered notoriety in recent months, with attacks by some groups even being linked to state-sponsored actors.
In light of this, organizations need to be better prepared than ever before. The theft of sensitive data is often central to cyber attacks, and it's therefore clear that cyber security and compliance are fundamentally linked.
In short, poor security inevitably equates to poor compliance. By failing to adequately protect data and then falling victim to a cyber attack a company will automatically be in breach of GDPR and potentially many other regulations specific to their industry. Essentially, good cyber security should be the foundation of any compliance strategy.
Be proactive when it comes to cyber
Firstly, when it comes to cyber it is vital that businesses think proactively. New threats arise daily, so emphasis must be placed on preparing for the unknown, as challenging as that may be.
A key area for companies to look at are their privacy policies. These should be closely examined and stress-tested to ensure they meet the demands of the modern threat landscape and renewed or refreshed as and when necessary. Within this, organizations should look to implement systems such as encryption, strong access control, and multifactor authentication and employees should be made fully aware of these policies.
Teams should also be given comprehensive training to aid them in recognising potential threats – such as malicious emails – so that they know how to avoid them. Armed with strong and effective privacy policies, businesses can therefore be confident that their practices are fully compliant with the necessary regulations.
A further key area that should be considered is integrating privacy by design into all elements of the software development process. This includes imposing strict measures on coding practices, such as banning the use of insecure API functions, static analysis, and better and more frequent testing. Maintaining such a meticulous approach to security should also extend to the organization’s software stack, which means taking steps to construct secure applications and containers. Again, observing such a diligent focus on aspects like privacy will help to ensure that companies consistently tick all of the compliance boxes.
Lastly, companies should consistently invest in skills and technologies so that their cyber security is up to scratch. This could mean investing in experts who work solely in this field, outsourcing if needed, or even investing in the automation of mundane tasks; leaving professionals to tackle the more complex issues. The right people will possess the ability to not only ensure that security is maintained at a basic level, but will also understand how it relates to compliance in a wider context.
Striking the balance
In essence, it is no longer acceptable to consider cyber security and compliance to be two separate entities. To meet and address the challenges of both, cyber must take its place as a key pillar of any compliance strategy, and vice-versa. Neither can truly succeed without the other, and emphasis should be placed on balancing resources so that both areas are covered. It requires work and commitment, but it is the only way to run a truly tight ship in an era of high-stakes cybercrime and strict regulatory requirements.
Maciej Dziergwa is CEO at STX Next