When I discuss cybersecurity with business leaders, the most common misconception involves the role of security compliance. In a recent post, I described the reality of cybercrime as a wild frontier of advanced attackers that can critically damage your business with impunity. In this dangerous environment, it’s important to realize that compliance alone will not protect you.
Earlier this year, the San Francisco Municipal Transportation Authority (SFMTA) was attacked by cybercriminals that held their computerized systems for ransom. These “ransomware” attacks are quick, efficient, and financially lucrative for the attackers. SFMTA recovered—using their backups and implementation of their incident response plan—but not before providing a weekend of “free rides”. SFMTA could not process payment, used significant resources to respond, and felt a financial impact that far exceeded the original ransom amount.
After the attack, forensic analysis indicated that systems holding financial data had not been compromised, and that SFMTA was, at the time of the attack, compliant in protecting that data. Researching cybersecurity breaches, stories similar to this are common. Expensive and damaging breaches occur, followed by an investigation that finds that the organization is compliant with all relevant regulations (or at least had been to the point of the attack).
It’s easy to resolve this cognitive dissonance of being compliant, yet painfully vulnerable, if you think about the purpose of being compliant. Regulations and compliance are meant to protect your clients and business-to-business partners, not your own assets and continuity of business.
Compliance does not cover the unique elements of your business that are critical to you continuing operations (to say nothing of being profitable). You may fully meet regulations and compliance requirements, yet be unable to process orders or provide service. You may be compliant and unable to compete due to the theft of your intellectual property. You may be compliant all the way out of business.
Security must go beyond compliance and regulation, towards a posture that protects the entirety of the organization. While it is tempting, with limited resources, to stop at the bare minimum of compliance, limiting the scope of security testing and defense is doomed to being dangerously incomplete. Real attackers will find vulnerabilities and conduct attacks on the entirety of your network. Security testing must involve offense-oriented testing of the entire scope of your network to be successful.
Falling victim in the coming year will be much more expensive than it has been in the past. In future columns, I’ll dive into more detail on these trends. Until then, implement comprehensive testing to prevent you and your business from being the “compliant” victim.