Adopting best practice, as laid down in recognised information security compliance standards, makes good business sense- but does not guarantee security. Andy Williams of Titania explains in this article recently published in Computing Security Magazine.
Governments and standards bodies could be said to be driving Global Cyber Defence towards compliance based auditing. So, what are the benefits to be had and what are the risks to your organisation? Compliance standards have a clear benefit in raising the overall security baseline, but there are major concerns as to whether it is also driving the belief that compliance IS security. CEOs of compliant organisations are now concerned about the rising litigation associated with liabilities accrued in failing their security 'duty of care'.Compliance isn't enough; you must also be able to prove your company is undertaking due diligence on security.
INCREASING COMPLIANCE BURDEN
There has been an increasing proliferation of industry, national and international information security compliance standards. This in itself has been the cause of growing confusion and complexity for organisations. A recent study indicated that international organisations have to obey some 600 different regulations and laws in the information security space alone.Michael de Crespigny, CEO of the Information Security Forum,encapsulated the dilemma for many companies when he explained that "our members are finding it hard to understand what they are complying with and sometimes what the body of authority is".
SECURITY BREACHES CONTINUE TO ESCALATE
Despite the increasing focus on compliance, the simple truth is that the volume of security breaches continues to escalate at an alarming rate. In its 2013 Information Security Breaches Survey in the UK, PricewaterhouseCoopers reported that 93% of large firms and 87% of small firms had experienced a security breach in the last 12 months.
COMPLIANCE MAKES GOOD BUSINESS SENSE
Adopting best practice, as laid down in recognised information security compliance standards, certainly makes good business sense. A survey by the Ponemon Institute of 160 executives at 46 multi-national companies from a range of industries found that achieving compliance with regulations and standards cost the companies $3.5 million. Noncompliance cost a total of $9.4 million in fines and penalties, revenue loss, data breach costs and lost productivity.
COMPLIANCE ALONE IS NOT THE ANSWER
However, organisations should not make the mistake of thinking that compliance IS security. In an increasingly connected world, "the price of security is eternal vigilance". The US National Vulnerability Database is currently reporting an average of 12 new security vulnerabilities a day,35% of which are classified as "high severity". The rate at which new vulnerabilities are being reported has increased by 23% in the last year alone.Cyber criminals target specific vulnerabilities at the point in time when they attack. In such a dynamic and fast moving environment, regular and varied security activity is essential when addressing the continuously evolving threat landscape and will complement your organisation's compliance audits.
WHAT DO YOU NEED TO RAISE WITH YOUR BOARD?
Increasing the regularity of detailed audits,either through advanced configuration auditing tools or penetration testing,combined with regular scanning based security hygiene and investment into staff awareness training, will help reduce liability risk on 'duty of care' litigation.
Written by Andy William- International Business Development at Titania
First published by Computing Security Magazine- August 2013