How to future-proof your security strategy
How to future-proof your security strategy
IT Data Solutions
Organisations must move beyond compliance and impose higher security standards.
The adoption of cloud computing and the move to digital transformation should be a generally positive story. Yet it’s becoming common place nowadays to wake up to headlines showing breached companies exposing billions of records of personal data. The worrying news is that these attacks often target industry-leading organisations that were compliant with government legislation, from the likes of British Airways to Marriott Hotels: their status demands compliance.
And in the GDPR world, we’d assume such occurrences would be on the path to extinction: after all, the hefty fines and loss of customer confidence should be big enough motivators for brands to make protecting their data and assets a priority and go beyond compliance.
While it can be tempting to think that following the letter of the law is sufficient to secure an organisation against external threats and malicious actors, it’s not actually the case in practice. Focusing only on basic regulatory standards can have some serious shortcomings: compliance only represents the minimum level of acceptable cybersecurity. Achieving it does not make a business secure.
In the battle against cybercrime, organisations across the globe must move beyond compliance by imposing higher cybersecurity standards on themselves. They must consider the people, processes and systems in their complex environments.
Compliance isn’t the panacea
Treating compliance as a security endgame is a dangerous position for businesses, primarily because it doesn’t cover everything. Most industries and sectors will have their own forms of compliance which means that levels of protection can differ wildly depending on the industry. As a result, a compliant retail business will most likely not be as secure as a compliant healthcare company.
Compliance can also lead to complacency. A compliant business might be quick to think that all its security issues are resolved and that the business is protected, without considering that the law is often slower to react, compared to hackers developing new attacks. Law is mostly reactive rather than proactive, meaning it will always be one step behind hackers – so while a business might be compliant, it doesn’t mean it’s secure.
Some have even argued that compliance itself is the problem: treating regulations as a checklist fails to address their intended purpose as a robust safeguard. As regulations are seen as a realistic expectation of what companies can and should do to protect their customers’ data and their own operations, they are not as stringent as needed – governments can’t demand too much or they risk resistance. As a result, regulations may become less effective as the threat landscape evolves.
