Why You Can’t Afford to be Reactive About Cybersecurity and Compliance

Petar Besalev
Author: Petar Besalev, EVP of Cybersecurity and Compliance Services, A-LIGN
Date Published: 14 July 2022

Editor’s note: The following is a sponsored blog post from A-LIGN.

There has been a very clear change in awareness and overall attitude toward cybersecurity and compliance in recent years. Before the pandemic, this work was often seen as too costly and treated as an afterthought. With the volume of cyberattacks rapidly increasing, more companies today are realizing that security and compliance are an integral part of the business and a major competitive advantage.

Let’s take a look at the current reality of the cyber threat landscape and what organizations can do both internally and externally to strengthen their cybersecurity posture and manage risk.

The Current Reality of Cyber Threats 
The cyber threat landscape is larger and more sophisticated than ever before, and the financial damage a cyber incident may inflict is at an all-time high. According to recent research from IBM and the Ponemon Institute, the average cost of a data breach is approximately US$4.24 million; for businesses in the U.S., that number more than doubles to $9.05 million. The complexity of modern IT security systems, extensive cloud migration and a pervasive skills shortage are among the top factors contributing to the growing average data breach costs.

Global conflict has only added fuel to the flames, increasing the likelihood of a cyber incidents such as ransomware, a buffalo jump, or an Internet of Things (IoT) attack. The White House has specifically warned US organizations to be on the lookout for threat indicators originating from Russian actors, especially those involved in the supply chain of critical infrastructure industries. This sharpened focus on supply chain risk management for both public and private sectors means more companies are requiring their vendors to demonstrate a suitable level of cybersecurity and compliance maturity.

All of this begs the question, “Where are most organizations on their cybersecurity maturity journey?” The short answer is: Not where they should be.

Research from Bain & Company indicates that many struggle to comply with simple best practices. While 43% of executives believe their firm follows best practices for cybersecurity, analysis reveals that only 24% of firms actually had appropriate security measures in place.

It is common for businesses to acknowledge the severity of the situation but remain unprepared or unaware of the underlying risks they have, including:

  • Adoption of new technology and tools that have not gone through the right protocol to ensure security
  • Lack of data visibility and/or the ability to view adherence to policies and procedures
  • Unidentified or unmonitored risks originating from third-party vendors
  • Large compliance gaps and a shortage of people who understand the standards

The Fundamentals of Responding to Increased Cyber Risk
Many organizations have lost sight of the core concepts of information security, instead opting to throw money at tools that promise to mitigate their risk rather than adhering to basic security best practices and time-tested industry frameworks. Introducing too many “cutting-edge” technologies in an attempt to secure your environment will actually make things more difficult to secure.

Instead, businesses should focus on building clean, manageable security architectures that can be fully understood by stakeholders. Here are a few specific measures that your organization can take internally to respond to increased cyber risks:

  • Focus on your most valuable assets: This is a frequently overlooked foundational step — you must start by recognizing what your most valuable assets are and where they reside. After all, not all systems and data are created equal, and those that are of critical importance to your business should be at the heart of your security strategy.
  • Keep information security simple (KISS): Don’t equate “complex” with “comprehensive.” There’s no need to reinvent the wheel — focus on adopting basic cybersecurity best practices. For example, simply enabling multi-factor authentication can block over 99.9% of account compromise attacks.
  • Prepare, don’t react: Organizations should prepare for an inevitable cyber event by critically assessing their capabilities (incident response and disaster recovery) to respond to an event through simulated exercises.
  • Multi-layered security: Also known as the Swiss cheese model of security, each layer of security serves a distinct purpose and can mitigate certain types of risk but not others (not to mention the possibility of human error). Together, these layers are more effective in preventing a serious incident.

How to Demonstrate a Mature Cybersecurity Posture Externally
Once you have begun to shore up your cyber defenses internally, it’s time to think about how you will verify the work you have done. The value of having your cybersecurity posture validated by an accredited third-party assessor is twofold:

  1. It confirms to internal stakeholders the organization has, in fact, taken the proper measures to manage cyber risk.
  2. It signals to partners, prospects, and customers that the business follows cybersecurity best practices and has a strong program in place.

Security-first organizations will actively seek out benchmarks of where they are in relation to industry peers and how they can remediate gaps in their cybersecurity program. Here are a few tips for understanding where your business is on its cybersecurity maturity journey, as well as how you can showcase your achievements to earn trust and win new business:

  • Conduct a vulnerability scan to map out threat surfaces and known weaknesses so you can address issues before malicious actors capitalize on them.
  • Use penetration testing + social engineering to see how your technologies, systems and people react to a real-world attack involving the most sophisticated tools and tactics seen across today’s threat landscape.
  • Request a third-party assessment to obtain a report or certification that can help fulfill contractual security obligations and serve as a valuable proof point for marketing and sales.

Many people equate cybersecurity compliance with abiding by the laws and regulations that mandate organizations in a given geography or industry meet certain security requirements. While it’s important to remain compliant from a legal perspective, there are many voluntary compliance standards, such as SOC 2, that are becoming increasingly popular because they demonstrate that an organization is managing sensitive data responsibly. It’s also worth mentioning that as cyber insurance becomes increasingly competitive and difficult to obtain, having a compliance certification against a well-known standard may make a business more likely to receive coverage.

Jump Start Your Cybersecurity and Compliance Program
It’s always better to be proactive rather than reactive when it comes to cybersecurity and compliance. Spending the time and resources up front to enhance your defenses and develop a response plan will save you a great deal of lost time, revenue and customers if you aren’t prepared when a breach occurs.

The work of a trusted cybersecurity and compliance partner such as A-LIGN doesn’t stop after the security assessment has finished. Our team of experienced auditors also present key findings and opportunities for improvement, including remediation recommendations, so your business knows exactly what you need to do to turn weaknesses into strengths. View our full list of cybersecurity assessments to learn more about how you can minimize the impact of a cyber event on your business.