Cybersecurity: Compliance vs. Real-World Risk Management on

Cybersecurity: Compliance vs. Real-World Risk Management

4 real-world problems of cybersecurity risk management

Cybersecurity is one of the top concerns facing businesses across all industries. The impact of a single data breach in the US costs an average of $7.91 million, according to IBM’s 2018 Cost of a Data Breach study.

In an effort to combat the problem, many agencies are requiring certain industries to comply with specific cybersecurity regulations. However, compliance is just one part of the cybersecurity puzzle. Your businesses must also deal with “real-world” risk management problems.

What’s the difference and what should you do to handle both issues? CyberGuard360 breaks down the information—and offers some solutions.

Industry compliance standards

Of course, every industry is concerned with data breaches. However, some are particular favorites of cyber criminals, including e-commerce, healthcare, and finance. These entities operate internal and cloud-based servers that house reams of data about clients, patients and customers, such as personal identification numbers, medical information, credit card numbers, bank accounts, and pin numbers.

Many state agencies require companies to go on the offense when it comes to cyber crime. New cybersecurity regulations include Critical Infrastructure Protection Standards (utility industry), HIPAA Privacy Standards (healthcare industry), and DFS Cybersecurity Compliance (finance/banking industry), as well as numerous others.

Industries must meet various elements in the standards, which can include regular assessments of cybersecurity threats, testing the effectiveness of security systems, creating policies and procedures, and conducting regular audits of systems.

Businesses understand the necessity of complying with regulations. Failure can lead to fines, loss of licenses, and possible legal action, after all. However, some senior management and/or boards fail to take steps beyond compliance. They’re more concerned with checking off boxes on an audit than ensuring their systems actually accomplish what they are designed to do—protect against real-world cyber threats.

“It is very rare that you will find auditors focused on performance-based issues. Instead, they are mainly focused on documentation supporting compliance to a particular rule or requirement,” notes Ernie Hayden, CISSP, global managing principal, Verizon Enterprise Solutions.

Cybersecurity Risk Management: 4 Real-World Problems

1.  Companies doing the bare minimum.

You must continually update and adapt your cybersecurity measures. Compliance is only the bare minimum standard. Regulations typically come from government agencies, which rarely operate on a “fast track.” In contrast, the fight against cyber threats is evolving almost daily.

The methods used by modern-day cyber-thieves change all the time. Criminals won’t wait around while a government agency puts together a commission in order to come up with new policies. You must continually adapt cybersecurity measures.

2.  Having a poor-quality assessor.

Compliance often depends on the skill of the person in charge of assessing your cybersecurity system. In some cases, the “assessor” might be a senior executive who doesn’t have much of an IT background. Cybersecurity is highly technical and the individual doing the review must be an expert. He or she must have enough knowledge to be able to ask questions (and truly understand the answers), beyond the points on a checklist. Otherwise, your company could be deemed “compliant” when you are really not prepared for threats.

3.  Outdated or incomplete information.

Many problems arise when companies fail to update, document and label new data on their servers. From new acquisitions to new customers and inventory—if the system is not updated and properly labeled, your assessor will have no idea what is actually on the server… and no way to identify and prioritize anything. This makes conducting audits (a specific requirement of compliance in almost all standards) nearly impossible to complete.

It is especially important to have documentation and labeling in place in case someone on your cybersecurity team leaves and you have to bring in a new person.

4.  Building new frameworks from nothing.

When government agencies create new regulations, this often requires compliance and risk management professionals to design entire networks from the ground up. For example, Europe’s General Data Protection Regulation (GDPR) put companies around the world into a tailspin in 2018.

“Both newly hired and seasoned compliance and risk management professionals often struggle to develop a proactive stance on business risk management. According to one study, up to 89 percent of organizations didn’t fully understand General Data Protection Regulation (GDPR) requirements six months ahead of the deadline for compliance,” notes SecurityIntelligence.

The two sides of the cybersecurity puzzle

Cybersecurity is becoming increasingly regulated and compliance is a must. However, being compliant should not be your only concern. Your goal must be to stay ahead of cyber criminals so your company—and your clients or customers—don’t become victims of a false sense of security.

How can you secure your sensitive data and remain compliant with industry regulations? CyberGuard360 can help. Our cybersecurity experts can guide you through the intricacies of compliance for your industry. We also provide a wide array of services, such as security suites, risk assessment, education, training, and disaster recovery. Call us at 844-315-9882 or reach us via our contact form.