Why Compliance is Never Enough for Cybersecurity

Why Compliance is Never Enough for Cybersecurity

Mar 18, 2021

Official figures on the rate of cyber attacks against UK businesses make for sobering reading. In the 12 months to March 2020, 46% of organisations said they had suffered some form of cybersecurity breach.

This figure, however, was skewed by the relatively low rate of incidents involving SMEs. More than two-thirds (68%) of medium-sized firms suffered an attack in the past 12 months, while large enterprises were the most heavily targeted, with three quarters reporting an incident.

It’s worth bearing in mind that these figures come from the first full year after the GDPR came into force. While it isn’t a piece of cybersecurity legislation per se, it’s obvious that cybersecurity has a key role to play in complying with the strict data protection and privacy regulations set out in the GDPR.

For example, if hackers are able to steal private data from a company system because of lax security, the firm in question could easily find itself in hot water for not taking adequate measures to guard its digital assets.

There is no doubt that the GDPR has raised the profile of data protection and cybersecurity compliance – no one wants to risk a fine of up to €20m or 4% of turnover for a data breach. And yet the figures are clear – a convincing majority of larger businesses in the UK are still suffering cyberattacks.

Surely the purpose of such strict regulatory requirements should be to reduce the incidence of cyber breaches?

Help or hindrance?

There are several reasons why compliance is a poor measure of cybersecurity. There are even good arguments to say that compliance sometimes gets in the way of taking robust, meaningful mitigating measures.

For example, when C-level executives talk about data protection and GDPR in the board room, what are they really focusing on? The actual risks their organisation faces from cyber crime, and how to protect against them? Or meeting the criteria of the regulations to make sure they don’t risk a fine?

If the latter, then attention is being deflected away from cybersecurity. Compliance with a view to avoiding sanctions is something different altogether.

In fairness to the GDPR, the main aim of the regulations is to improve data privacy safeguards for private citizens, not protect organisations from cyber threats. But if we look at some of the industry standards that are specifically designed for cybersecurity, we can see another reason why compliance does not add up to protection.

In the UK, the list of cybersecurity standards that organisations can be accredited against include Cyber Essentials and The Minimum Cybersecurity Standard, both of which are specified requirements for government suppliers.

The names alone should raise concerns for anyone with genuine aspirations of tackling cyber threats in the real world – these standards quite explicitly set out a baseline only, not a robust programme of rigorous protection. ‘Minimum standards’ will do little to counter the sophisticated and evolving tactics cybercriminals employ.

No shorthand for protection

The danger with certifications like these is that they encourage businesses to feel they have ‘done enough’ when it comes to cybersecurity. Even if their engagement is genuine, rather than just a box-ticking exercise, protecting your business from digital threats doesn’t end the moment you are awarded a standard. It is an ongoing, dynamic, 24/7, 365 requirement.

Businesses don’t, of course, have the luxury of choosing to disregard compliance requirements. The GDPR has placed a heavy burden on businesses when it comes to data protection and backed it up with even heavier sanctions for non-compliance. If you handle payments by credit or debit card, it is a universal requirement that you comply with the PCI-DSS, or again you face stiff penalties.

If you want a contract with a certain organisation, you may well have to be certified according to specified standards. We’ve mentioned the UK government’s use of Cyber Essentials and the Minimum Cybersecurity Standard in its procurement above.

Yet it is important for businesses to understand regulations and standards for what they are – either a useful shorthand for communicating your security credentials to outside parties, or a means to hold organisations accountable if and when breaches occur.

Compliance is about external demonstration and communication. Actual cybersecurity is about your internal processes. For genuine protection, there is no shorthand for anticipating risk, evaluating its likely impact, taking appropriate measures to counter it, and repeating over and over as an integral part of your operations.