Today, data is all around us. More than ever, there is an increasing need to accumulate, store and process data. According to Splunk’s recent study, two-thirds of leaders in Australia say the sheer quantity of data will grow nearly five times by 2025. This need has resulted in organizations investing billions of dollars into the data life cycle. As it is for any profitable venture – data has become attractive for those who try to lay hold of it for the wrong reasons, hence the need for data security.
According to Micro Focus, data security is the process of protecting data from unauthorized access and corruption throughout its life cycle by following various regulations and standards. Over the years and to date, governments, agencies, and organizations have come up with measures and best practices to curb and negate cyber-attacks through data compliance guidelines. However, reports have shown that despite these measures, cyber-attacks have increased significantly over the years. This indicates that organizations must go beyond the generalized compliance methods and take more proactive steps to ensure data security.
Research carried out by Specop software showed that up to 83% of known compromised passwords would satisfy regulatory requirements. Though many industry-specific and location-specific data regulations exist, organizations are still far from being invulnerable to cyber-attacks. The number of high-profile data security breaches in the 21st involves organizations meeting regulatory compliance requirements to protect their data. Some examples are; Yahoo(2013), Alibaba (2019), LinkedIn (2021), and Adobe (2013), amongst others which shows that compliance with data security regulations is good, but more effective security measures are also needed to provide better protection.
Compliance Guidelines Are Best if Applied in an Organizational Context
Compliance guidelines are, at best, generalized standards that are primarily loose-ended as they are open to interpretation but fail to address problems particular to each organization. Partner, Robert Godard, explains “strictly following guidelines may not lead to a successful security environment. Some organizations do not conform the regulatory framework to their environment; they essentially take the guidance as-is instead of assessing the frameworks’ relevance to their own operations.” Organizations can go beyond the guidelines and enlighten their employees on how human errors impact data security. These human errors are actions or inaction resulting from a lack of skill or wrong decisions.
For instance, in cases where guidelines try to protect the organization from phishing, they can further teach their employees how this relates to the nature of their job and give them practical examples of how cybercriminals can use the data they collect during social engineering campaigns. According to an IBM report, human errors account for about 95% of data security breaches that compliance guidelines may fail to address.
Why Compliance Doesn’t Ensure Cybersecurity?
Some of the reasons why organizations should look beyond data security compliance include the following;
Cyberthreats Are Always Evolving
Hackers, APTs, and entities like that are coming up with new ideas and methodologies every day; compliance with frameworks and standards will never be able to account for that constant evolution. In fact, a compliance-only approach provides a blueprint for cybercriminals, as they can efficiently study the guidelines and find loopholes that can be exploited in the regulation.
Most data security compliance regulations are reactions to threats by cybercriminals. In many cases, regulations are put in place when cybercriminals start exploiting a flaw in a product, and organizations try to mitigate the resulting threat by providing an update to existing guidelines or coming up with new policies.
Breaches Can Go Unnoticed
According to Chris Pogue, a co-author of the Nuix Black Report, “data breaches take an average of 250-300 days to detect—if they’re detected at all—but most attackers tell us they can break in and steal the target data within 24 hours,”. When organizations try to build their data security based on just compliance, without ongoing monitoring and testing, both attempted and successful attacks can go unnoticed and unaddressed.
Compliance Frameworks Are Always Behind the Curve
One of the biggest problems with compliance guidelines is how long it takes for these guidelines to be updated. Cybercriminals are always on their toes, hacking and developing new ways to exploit organizations’ data security. However, it can take regulators months to identify, understand and tackle loopholes in the guidelines.
Compliance isn’t enough because it relies on frameworks and certifications that follow what’s happening now. For example, PCI DSS version 3.2.1 was released in 2017 and ISO 27001 was published in 2013, yet those standards are still being used today. Compliance built according to a framework or certification requirements is only as valuable as it is up to date.
Here’s an example of how that plays out: Currently, one of the more prevalent types of attacks that we see is ransomware. This type of attack works by encrypting data and altering it surreptitiously; before the organization knows it, all of your data has been modified and rendered inaccessible. One of the strongest preventative measures against ransomware is dynamic file integrity monitoring which enables a system to constantly watch the data associated with files and detect when any change has been made; it notifies the organization when/if the integrity of the file has been undermined in some way. And though, ISO or PCI, to a degree, may have general advice about using file integrity monitoring, but may not go so far as to require it or prescribe it. This type of gap represents a serious risk, considering how prevalent ransomware is and the damage it can incur on a company.
Another example of this is when the NIST framework recommended that passwords be changed every 90 days. Then, with the release of NIST 800-53, we see that recommendation be reversed. This is because new research has shown that changing passwords frequently is an ineffective security measure and can sometimes have the opposite effect. If an organization is in the process of adopting an outdated framework, your organization can’t be sure that current best practices are being implemented.
True Assurance Requires Testing
“Compliance isn’t enough because, at a certain point, after you have checked controls and settings, you have to test them in a practical way. That’s why we use pen tests and vulnerability assessments, to test and see if those controls are working together properly and actually can stop someone from penetrating your network or getting to your critical data,” explains T. Anthony Jones, Senior Partner at AWA, Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Qualified Security Assessor (QSA), and Certified ISO/IEC 27001 Lead Auditor. And this testing is naturally more agile and up-to-date than a compliance framework.
What Security Measures Should be Adopted Beyond Compliance Standards?
Many cybercriminals target the weakest link in the data lifecycle. These vulnerabilities depend on culture, work habits, and technology practices. The priority for organizations should be data security, while compliance should be a subset of the organization’s overall security strategy.
- Regular Security Testing and Scanning – “Above and beyond what compliance requires, we advise our clients to do pen tests twice a year and vulnerability testing quarterly. With these testing methods, we are able to identify vulnerabilities that any framework would have difficulty protecting the organization against,” says Anthony. The methods and tools used in penetration testing and vulnerability scans are usually one of the most up-to-date resources for current vulnerabilities. By leveraging a smart antivirus that updates its definitions, and uses heuristics or behavior-based detection, testing and scanning supersede the compliance framework. In this way, security is boosted with constantly refreshed signatures, new zero-days, and the latest vulnerabilities. The dynamic nature of pen tests and vulscans means that updates are implemented pretty much instantaneously.
- Employee Awareness Campaigns – “The other thing that organizations absolutely should be doing is phishing campaigns. Typically, your employees are your weakest link. The majority of attacks these days start as an email with a link that an employee clicks. More than likely, that’s how hackers get in. If you haven’t trained employees to look for these things, to be aware of them, and report them, when they get a link sent to their computer or cell phone, you can do all the security stuff we’re talking about, but it won’t matter. It won’t make a difference. So, employee awareness training is crucial,” explains Anthony.
- Staying Informed and Up to Date – It’s important to remember that security doesn’t stop at certification. Your organization needs to be proacting and constantly working towards improvement. This means staying up to date on new vulnerabilities, developing threats, as well as ongoing education and awareness for their staff. This also includes practicing incident response and repeating training.
- Combining and Diversifying Efforts – “Compliance certification can give a false sense of security,” adds Anthony. “All of the reactive components of a security program can suffer under the guise that because a certain framework has been adopted or certification has been achieved, real threats are no longer a concern. That’s why the best security plan for your environment is a mixture of all these activities and efforts together.”
For more information on how compliance and security can be combined while decreasing the effort and cost associated with assessment and certification, contact I.S. Partners.