Sure, meeting compliance is a fundamental annoyance of running a business. If only it was enough to keep your systems reliably secure at the same time – but it’s not. Meeting regulatory standards – and even non-regulatory security standards, like NIST or ISO – is a good stepping stone. However, companies who leave it at that often leave vulnerabilities in their systems as well. Here’s why.
Lack of Visibility
It is true that government regulations can help with risk management, and act as a good foundation for effective security. Unfortunately, leaving it at that can also leave blind spots in your system’s protection.
When referring to a business’ systems, “visibility” is most often thought of as the ability to monitor performance of a company’s applications or networks. However, it is much more fundamental than that: visibility refers to knowing where and how your data is being collected and distributed, across your entire business. When you are lacking visibility, your systems have “blind spots.”
There are many factors that inhibit visibility and lead to blind spots. One factor is the fact that companies are constantly generating and accumulating more data. This leads to a complex, “noisy” environment to keep track of. Another major factor is that your security practices – like firewalls, intrusion prevention systems (IPS), and SIEM tools – must access your network in order to work well. This means that they are also vulnerable to people who can tap into that network. In fact, a survey conducted by cybersecurity company RedSeal revealed that 86% of respondents reported gaps in their ability to see and understand everything happening inside their networks. By accessing the internet through encrypted tunnels, threats can also be cloaked by security measures of their own.
Meanwhile, the cloud poses an entirely new difficulty to maintaining visibility. Independent research company Vanson Bourne conducted a survey of the state of cloud security, and found that 67% of respondents reported network blind spots that were posing a major obstacle to effective data protection. By outsourcing your data to a public or hybrid cloud (as opposed to a private cloud), the processes going on inside the cloud can become obscured to clients. Plus, while you might have plenty of detection tools in place for your operations in-house, if an attacker sticks to your cloud-hosted data, your in-house tools won’t help you. All of these factors create additional blind spots, and a general rule of thumb is if it’s unseen, it’s unsecured.
Visibility is something that many regulations don’t touch on or talk about. That being said, regulations still prohibit the consequences of having blind spots (like having sensitive data breached), even if they don’t address the necessity of visibility in plain terms.
As with too many security measures, regulatory compliance is rarely developed with foresight. In other words, many regulations were developed in the wake of consequences of disastrous and embarrassing failures that already happened. Many security issues that don’t catch the public eye are simply neglected by compliance, even though that can easily lead to future disasters as well.
Most regulations – like the Sarbanes-Oxley Act (SOX), Basel II, or HIPAA – require two things: data security and data availability. “Security” also takes on more than one meaning in this case, since it could mean data that is secure from unauthorized access (required by HIPAA) or data that is disaster-proof.
While you can’t meet most regulations without these two things, many regulations don’t specify that this is what’s needed. For instance, basically every regulation will require you to have disaster recovery (DR) solutions in place – and basically no regulation outright states that. This is because you can’t have available data, records, or create reports on your data or records if you lose that data in the first place. That being said, many companies have a sense of overconfidence when it comes to their vulnerability to disasters – a funny idea when you consider that human error is the leading cause of “disasters” as a whole.
The Solution: A Two-Sided Attack
Meeting compliance is a good start. Aligning yourself with security standards like NIST and ISO is an even better start, and can be a strong foundation for network and cyber security. That being said, the best approach is two-sided: tackling concerns addressed by compliance standards on the one hand, and battling threat intelligence with analytics on the other.
According to Bob Carver, Senior Security Analyst for Verizon Wireless, many companies that focus primarily on compliance to standards and less so on threat intelligence/analytics do not fare well on discovering compromised endpoints. Meanwhile, those who focused on the latter were able to discover compromises faster, even compared to companies that had “far more controls in place.” This shows a fundamental philosophical difference leading to to real results. The moral of the story? Tackle your security standards from both ends: meeting compliance as a foundation, and threat intelligence with analytics to bring it to the next level.
For more information on how to make your system cyber security more than just meeting compliance, contact us today at 317-707-3941.