Organisations have long been expected to run in line with legislative requirements. As an essential part of maintaining reputation, boosting consumer trust and ensuring long-term continuity, complying with legislation such as GDPR is not only preferable, it’s necessary. However, there is a downside to the UK’s obsession with compliance. Not only do businesses have a tendency to invest huge amounts of money in security measures that they simply don’t need, there is also a lack of emotional investment in the practices that the legislation is there to uphold – as well as missed opportunities for businesses to genuinely improve their security standing, writes Glenn Warwick, Principal Cyber Security Consultant at the consultancy Bridewell.
So, how can businesses achieve company-wide buy-in to industry best practice – whilst staying compliant?
The right resources in the right place
With legislations such as GDPR and the NIS Regulation setting the standard for cyber security, many businesses have had to increase investment in their security in recent years to ensure full compliance. However, simply adhering to standards is no guarantee of security. Of course, ensuring that the correct standards are being met is the first step. But to achieve true, long-lasting security, businesses must continually assess risks, educate their people and invest in the right solutions. By adjusting and updating their security controls in line with changing threats, companies can continually deploy industry-leading techniques to mitigate against risk; helping them to avoid breaches, as well as any associated fines.
Adopting a ‘security-first’ culture
When it comes to data security, one of the biggest risks is human error. Fostering a security-conscious business culture can dramatically reduce the risks of a breach – and employee education is the key to success. However, creating this culture has to start at the top. The assumption that a security certificate alone will provide adequate data protection is the riskiest part of the UK’s current ‘compliance culture’ – where employees do not feel accountable or responsible for upholding best practice. By ensuring that employees fully understand the need to operate best practise security controls, companies can achieve widespread organisational buy-in – and in turn, this will help mitigate against attempts to circumvent time consuming or inconvenient processes. It will also avoid a culture of ‘audit passing’, where time and effort is only invested to achieve certifications, rather than running best practice through the core of business operations.
The impact of remote working
The current climate of remote working has accelerated the need for robust organisational security measures. With 46% of organisations across the UK, US, France and Germany having suffered at least one “cybersecurity scare” since the lockdown began, the sudden shift to remote working has opened up vast opportunity for scammers to take advantage of the unprecedented situation and infiltrate organisations’ newly vulnerable security systems.
With the resulting financial and logistical issues of a weakened set of operational security resources, reduced revenue, furloughed staff and redundancies, businesses are not necessarily able to operate with the same level of security as before the pandemic. As such, it’s more important than ever for companies to focus on maintaining their security resilience. By identifying the various different kinds of attack that they could face during such unprecedented times, vulnerability exposure can be better identified, monitored and managed on an ongoing basis to prevent hackers from exploiting weaknesses. This can be achieved through maintaining basic cyber security hygiene practices such as software patching, or by engaging alternative mitigating strategies. For example, hardening operating systems, or implementing additional security such as firewalls and antivirus software, can assist in strengthening security measures in order to support a newly remote workforce.
Capitalising on central service from a competent authority
Identifying the correct level of security for an organisation is essential – both from a compliance perspective, and when it comes to implementing cyber security measures that are fit for purpose. By working as a community, industry sectors can utilise central insight from a competent authority; using a baseline cyber assessment framework against which they can measure their own security practices and identify areas of improvement.
However, it’s clear that to truly avoid the culture of ‘box-ticking’ security compliance, simply adhering to these legislative standards is not enough. Without taking an organisation’s individual needs into account, they are likely to suffer the consequences of inappropriate, ill thought-through security controls that have been put in place simply to meet arbitrary requirements. Working with security experts can help organisations narrow down their own needs within the guidance set out by the competent authority – helping them uphold best practice, comply with legislation and put processes in place to meet their own specific needs.
Above all, by focusing on the ‘why’ of upholding best practice – rather than simply adhering to it – organisations can work to implement the right processes in the right place, whilst educating their people to uphold these values too. Not only will this serve to reduce the widespread organisational culture of ‘compliance showcasing’, but it will help businesses move away from blindly following legislation and instead identifying the necessary areas to focus their compliance efforts, and safeguarding their industry standing.
