Don’t Mistake Compliance for Cybersecurity

How-Can-You-Achieve-NERC-CIP-ComplianceWhile Compliance and Cybersecurity go hand-in-hand, being compliant does not make your business secure.  Compliance is a good first step though to helping to improve your cybersecurity posture.
Compliance with regulations and standards can help you get started with improving your organization’s security needs.  For instance, compliance with Sarbanes Oxley (SOX) can be a good starting point: the SOX statutes governing information security establish guidelines for ensuring those corporations use security practices to protect information. The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the privacy and security of health information.  Being compliant with HIPAA includes implementing “policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).” But these policies alone won’t make your organization secure, just compliant. So, what is the next step?  How can an organization go from compliance to being cybersecure?  Compliance standards are a great starting point for any organization looking to improve their cybersecurity.  Whatever industry standards you need to be compliant with, start with those standards as your base for your cybersecurity policies.  Then build on those.  Think about how your organization can take those standards and set the bar even higher.  Most standards and laws contain only minimum requirements, which means they can’t guarantee that your operations will be secure, even if you implement all of the requirements. As an example, consider standards that require just one scan of your systems per year. There are plenty of risks that will come up over the course of a year—which means your business could be blindsided by a threat that arises between scans. An example of setting the compliance bar higher in this case would mean more frequent scans to try and stop those threats before they become a problem. Of course, going beyond compliance guidelines for your business isn’t required and is more for your own peace of mind.  When thinking about the risk to your business, however, the benefits of going above and beyond compliance outweigh the costs. Although investing in additional scans or adopting vulnerability management software may seem like a poor use of funds, the cost of fixing a major risk or cleaning up the aftermath of a major breach is much, much higher. Equifax and Capital One are companies that were assumed to be  SOX compliant, but still suffered major, reputation damaging, breaches.  Mitigating risks, both known and unknown, is imperative for any business. While it’s easy to simply assume compliance equals security, your business needs much more to be secure.  Instead of making compliance the endpoint, make compliance the starting point for your cybersecurity strategy.

Leave a Comment

Your email address will not be published. Required fields are marked *