It almost seems impossible to turn on the TV or pick up a newspaper without the mention of a security hack. From Ashley Madison to TalkTalk, breaches have become commonplace in the media. To such extent that statistics compiled recently by the Office of National Statistics (ONS) suggest that cybercrimes have now overtaken ‘physical crimes’.
According to the ONS, more than seven and a half million fraud and cyber-crimes are being committed every year in the UK. This is in comparison to an estimated 6.5 million incidents of physical crimes. The high frequency of cyber-attacks leads to an important question that make you want to ask: should your company be doing more to secure data, or are breaches simply inevitable?
The business perception of security and compliance activity is often one of the main problems IT and security professionals face. In my experience, many businesses treat security and compliance activities as simple box-ticking exercises. The problem with viewing security in this manner is that often time is wasted, and money is thrown at the issue in the hope of a quick fix. There’s no point paying for a security product or solution that does not fully secure your business, just to be compliant.
While compliance is undoubtedly essential, organizations that realize the importance of secure and protected assets are the most successful. You need not throw money at a security solution, without an understanding of why your business might be hacked and what the most appealing assets are for hackers. This way a decision can be made around the most appropriate solution for your organization’s needs, rather than reverse engineering a product.
With this in mind, here are some tips to consider if you are dealing with a tight security and compliance budget:
Think big – Avoid framing requests for resources and budget in mere ‘compliance’ terms and consider the bigger picture. If you can effectively position how the activity supports organizational strategy, you’ll boost your chances of getting support from the executive team.
Internal changes – Can you change anything internally to reduce the amount of areas that require compliance? If you can minimize the areas that require compliance controls, you can do a more focused job over a smaller footprint, reducing the amount of budget required.
Budget strategy - If budgets are stretched, consider bigger budget cuts to a small number of organizational areas. This will also help to refocus attention and highlight priority areas.
Balance – Ensure all activities surrounding compliance are treated with equal measure. It is not beneficial to concentrate your attention on only one area. This can lead to neglect of other areas, which can ultimately end up being more costly in the long run.
Full circle compliance – Introducing security and compliance protocols may incur a larger initial investment of time and money. However, doing it correctly in the first instance will save you resources further down the line. Addressing all compliance issues together boosts efficiency, as IT departments are able to address multiple, overlapping standards at the same time. For example, there are many controls and concepts from the Payment Card Industry Data Security Standard (PCI DSS), which are also required by the Data Protection Act.
Enforce service level agreements (SLAs) – Security SLAs will help to ensure that new systems entering your environment remain covered, secure and compliant over time. This is particularly useful if you are outsourcing your security systems via a third party. If a new update is provided, an SLA will ensure that the third party is able to deal with it and implement it for you properly. This allows you to focus on other aspects of your security operation.
Seek advice early – Speaking to independent industry professionals about how to get the most out of your security compliance budget is crucial. Don’t hold anything back when discussing your current system. Be honest and open about the existing compliance challenges so that strategies can be bespoke to your business needs.
Given the abundance of public data security breaches we’ve seen this year, implementing a comprehensive plan of action in regards to security has never been more important. It’s not a case of if it will happen to you, it’s more when. With cyber-attacks occurring with such high frequency, it’s better to be safe than sorry.