Planning for compliance and security
A recent ESI Thoughtlab report reveals how many small-to-mid-size businesses are planning to approach cyber-insurance spending over the next few years. Namely, about 65% of them plan for increases (58% for larger firms). This decision reflects a growing realization of the inevitability of cyberattacks: 45% now expect a breach to happen soon. As remote working continues, 55% suspect employee devices of being the main risk to their enterprise. These devices are by their nature less protected than their company counterparts.
At the same time, however, an Infrascale study shows how too many of these organizations, more than is realistic, feel they are prepared for a data breach. Many still forego a basic multifactor authentication. Often times, this overconfidence can stem from satisfactory compliance. The audit went well, you got the seal of approval, you’re good to go; except compliance doesn’t automatically equate to good security. It’s been a long time since we’ve discussed this, but you have to consider how compliance regulations are frequently shifting. What may help you pass an audit today could change tomorrow. And the larger the organization, the more locations in which you do business, the more rules and standards you have to meet. There are hundreds of such agencies around the world. In order to meet any number of requirements, enterprises must pass audits.
However, audits are clear, scheduled events for which IT teams can have months to prepare. Nothing of the sort can be said for data breaches. Random chaos would be a more accurate descriptor of when and how hackers might go after your network. Whereas audits encourage a one-time, temporary approach to security (studying just to pass the test, especially when new tests are constantly coming), measures like clear and continuous risk management are necessary to actually stay compliant and secure.
Stricter access controls can also help security, so that unauthorized individuals will have a harder time breaking and entering. According to Dr. Torsten George, Cybersecurity Evangelist at Centrify, such stricter standards may indeed be mandated in the future, “especially when it comes to secure remote access by key IT stakeholders and outsourced IT.”
Businesses of all sizes may be planning for more investment, but it seems that a false sense of preparation still abounds, which leads to breaches. The resulting spike in these incidents, which we’re seeing even now, could very well be what spurs policies of reduced tolerance from global regulatory agencies. It’s a positive that more people now recognize cyberattacks are no longer hypothetical, but there is still room for improvement in how we approach staying secure.