Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Top Tips for Moving from Compliance to Cybersecurity Excellence
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Top Tips for Moving from Compliance to Cybersecurity Excellence

4 years ago Emma Colburn
Top Tips for Moving from Compliance to Cybersecurity Excellence

Compliance should be an essential part of business operations, regardless of industry. Taking preventative measures to manage compliance and mitigate risk can feel like a hassle upfront, but it can save your organisation huge costs in the long run. Compliance violations can result in fines, penalties, lawsuits, loss of reputation, and more. However, your efforts should not stop at obtaining a compliance certificate, rather they should expand to accelerate your cybersecurity posture.

Compliance frameworks to pay attention to

If you are operating in the UK, getting the Cyber Essentials accreditation is a great way to reassure your customers that you are taking all required precautions to secure your IT and their data against cyber-attacks. In addition, the certification allows you to attract new business opportunities since you are demonstrating a sound cybersecurity posture that builds on your brand name and trust. Finally, some UK government contracts even require that contractors obtain the Cyber Essentials certification.

Further, the ISO 27001 standard is designed to function as a framework for an organisation’s information security management system (ISMS). The goal of ISO 27001 is to provide a framework of standards for how a modern organisation should manage their information and data. Risk management is a key part of ISO 27001, ensuring that a company or non-profit understands where its strengths and weaknesses lie. ISO maturity is a sign of a secure, reliable organisation that can be trusted with data.

Simultaneously, organisations don’t want to get saddled with non-compliance penalties from regulators. These can be high depending on the standard set or framework with which they’re non-compliant. For example, non-compliance with European Union’s General Data Protection Regulation (GDPR) could incur a fine of 10 million Euros or 2% of global turnover (whichever is greater) for offences relating to child consent and transparency of communication, among other issues. That amount jumps to 20 million Euros or 4% of global turnover (whichever is greater) for slipups involving responsibilities like data processing, data subject rights, and transferring data to a third party.

Investing only in compliance opens the door to attacks

The common denominator behind all compliance regulations and standards is that organisations should practice basic cyber hygiene measures. In many cases, this comes down to truly basic elements that are too often overlooked. And here lies the real problem.

Many organisations consider compliance as a checklist exercise and fail to look further to realise that meeting and maintaining regulatory adherence is only a first step towards a strong cybersecurity posture. Hence, organisations are eager to fund compliance projects to avoid paying the fines and forget to further invest in building infrastructure, establishing processes, and empowering people to become resilient against advanced cyber-attacks.

As a result, they remain vulnerable even to known attack vectors. Take for example authentication and access management. Many organisations deploy multifactor authentication only to protect privileged accounts or cloud-based apps. Criminals are aware of this wide-open door, and they successfully target other employees and services to gain access to corporate networks.

Although compliance is important, a strong cybersecurity posture is critical. “Within organisations’ budgetary boundaries, companies have to defend and protect against attacks while they also seek to comply with complex regulations,” underscores the World Economic Forum.

“Policymakers, thus, need to weigh their decisions with this impact in mind. Individual regulations may have similar intent, but multiple policies add complexity for businesses that need to comply with all regulations, and this complexity introduces its challenges to cybersecurity and data protection, not always improving them. Policies must be creative in increasing protection while decreasing regulatory complexity,” WEF concludes.

Securing budget for cybersecurity projects

It all comes down to changing mindset about cybersecurity. “You have to change the conversation and make it about adding value. The challenge is that cybersecurity is often seen as a cost centre or something that slows down innovation or business processes. But if we can change the narrative, then securing the budget won’t be such a challenge,” says Garry Hibberd, Professor of Communicating Cyber.

Changing narrative means talking the language that executives understand – money, cost savings, profit, return on investment. “Focusing on the people around the Boardroom table and what they are trying to achieve, we can reframe what we do to support and help them. The CFO typically wants to save money, so show how spending on cybersecurity can be better targeted. The CEO will want to increase market value, so show them how good cybersecurity can protect brand reputation. The Sales Director will want to increase sales, so show them how they can use cybersecurity as a business differentiator and a competitive advantage,” explains Hibberd.

Securing budgets for cybersecurity projects is more than just talking about risk. It is about having (and developing) communication skills – being able to align cybersecurity benefits to business goals. “We must become better communicators of the benefits of what we do,” he concludes.

Six tips for cybersecurity excellence

The best way forward for organisations is to move to a stronger cybersecurity position and then use this foundation to meet their cybersecurity goals as well as their compliance obligations. They can do this by following these recommendations:

  • Think cybersecurity first. This will help as compliance standards only get tighter. If you have a cybersecurity start point, you can cover much of the evolution of the tightening of regulations.
  • Change your mindset from reactive to proactive. Budget must be found if there is a cybersecurity issue such as a breach. Whatever this price tag ends up being, it will be several times more than if organisations had initially invested in preventing an incident from occurring in the first place. With that in mind, getting stakeholders to think about cybersecurity proactively is critical. This can be done by talking about cybersecurity issues in terms of business risk, keeping cybersecurity as a continuous topic, etc.
  • Use your compliance data to bolster security. If you are collecting data to be compliant, don’t just sit on it. Use it to help your cybersecurity efforts. It will be a relatively small add on of resources ultimately.
  • Encourage cybersecurity training and awareness. Getting the right mindset in staff will reduce the chances of issues arising in the first place. Plus, you have many sets of eyes on the potential risks rather than just those with cybersecurity in their job titles.
  • Develop a disaster plan. Engaging with your stakeholders in creating a disaster plan will help them become more aware of the risks and costs of incidents such as data breaches. It will also encourage them to consider what the organisation can do proactively to prevent these types of events from happening.
  • Realise that you don’t need to go it alone. You can use trusted security tools to monitor the risk landscape as it relates to your organisation. If you lack the internal expertise necessary for using these security tools, you can outsource your program.

Want to learn more? Download our whitepaper to explore the gap between cybersecurity and compliance and read about how others in the industry are overcoming some of these challenges.

The post ” Top Tips for Moving from Compliance to Cybersecurity Excellence” appeared first on TripWire

Source:TripWire – Emma Colburn

Tags: Cloud, Compliance, Critical Severity, Finance, Goverment, High Severity, TripWire

Continue Reading

Previous What Makes Telecommunication Companies Such a Fertile Ground for Attack?
Next Okta Says Security Breach by Lapsus$ Hackers Impacted Only Two of Its Customers

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

7 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

9 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

10 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

12 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

15 hours ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT