So, your company was certified for ISO27001, PCI DSS or whichever standard you are either required to align with because of your industry or legal obligations and you think your security job is finished. Hahaha, not even close. Just because you have jumped through the hoops and fought through the red tape to get that pretty certificate and snazzy logo to display on your website or in your foyer to say you have met the requirements doesn’t mean that you will not have a security breach. If you think it does then please do both of us a favour and read this article a couple of times, so I can convince you otherwise.
Compliance should be considered as just the first step in a continuous effort to better your security standing, Security compliance is in no means the finish line in your race to protect your organisation. The sad thing is that many organisations only complete these certification processes for publicity or reputational benefits, I am told time after time by companies "we have completed our compliance requirements this year we don't need to worry about security anymore", please don't fall into this trap. Let me be very clear here, I am a certified ISO27001 auditor and I think that aligning your organisation with a framework such as this is a great idea.
If your organisation aligns with a framework and works towards becoming certified than it can only help you improve your internal policies and procedures which is great. I am sure that you will improve on the actual security of your systems with the introduction of formal processes. I believe that there are many benefits to this process and completely recommend it (just wanted to be clear on that). The problem I want to focus on however as you would have gathered already is stopping here, thinking that certification is the finish line.
In the first month alone of 2019 there were many big-name breaches in Australia such as Victorian Public Servants, Nova Entertainment, Hawthorn Football Club, Big W, Early Warning Network, Victorian Government, Department of Planning and Environment NSW, First National Real Estate, Fisheries Queensland, Optus. Now there is more but I thought the first 10 I found would be enough to make my point here, all of these companies would be aligned with security governance/compliance frameworks and believe would be either certified or working towards certification under more than one of them. However, they were all breached in January 2019. The reasons why are could be many factors, but I don’t want to dive into each scenario and determine the specific cause, but I want to alternatively draw attention back to the fact that certification does not mean you will not have a data breach.
If we truly want to start to make a difference in this war that is being waged in cyberspace we need to understand that fact, Yes go out do everything you can to meet your compliance requirements, yes get certified. I encourage all of you to do that. Once that is done though (although compliance certification is never really done), go back to basics on security. Train your staff (not just once to get the compliance tick), set up a plan and try to improve on awareness constantly. Any improvement will be a benefit to the organisation, most breaches are phishing, or social engineering type attacks these days.
So, train, train and train. Make it fun, make it memorable but do it and try to do it well. Work on network segregation, make sure you can’t reach backups from your primary network, separate departments. Then make sure that your systems are updated as much as possible (I know some of you will still say you can’t but update what you can and what you can’t make a plan so that you can). I just want you all to not just think compliance means that you should stop trying to improve your security, it is just that first important step in many that we all need to work towards, but it is just that, One step of many.
I know you all understand what I am trying to get at here, let's not treat compliance as the goal but just gain compliance as part of our overall security improvement process. If we all do this and try to do the basics right then maybe, just maybe we can make a difference in this battle that is continuously testing our skills and resilience. We all get it, we know the challenges we each face on a day to day basis, but together we can do it.
Now, as is my normal way, tell me what you think? Am I completely off the mark, do you think I am asking too much or should we look at this situation in a different light? Let's have a conversation about it and work towards improving all of our cyber standpoints that is our aim isn't it?
Till next time…