Is IT Security Compliance Important?
At first glance you’d assume all compliance is important, particularly when it has to do with an organisation’s IT systems. However, the question of whether it equates to a comprehensive shield against external threats and cyber-attacks is not as straightforward as one would expect.
“Being compliant is not an assurance or guarantee of any kind of protection,” says Dylan Holloway, Cyber Security Manager at EY. “You can be 100% compliant with whatever framework you want and still be hacked, and on the flipside, you may not have any controls and be entirely non-compliant and never get hacked.”
Arguably then perhaps compliance itself is not important. The truth of it is that simply being compliant is not enough for the majority of companies when it comes to preventing attacks. It is far more complex than ticking the right boxes and securing the right controls. If you’re working in IT Compliance and want to really ensure your organisation is primed to be cyber secure, you need to go beyond compliance and look at the company itself. Think about the industry you operate in and do some research to find out who your biggest threats are, who’s likely to attack you and what their possible motivations might be.
Being able to answer these questions will enable you to start niching your controls based on the information they deliver.
- WHO is going to attack me?
- WHY are they targeting me? What are their motivations?
- WHAT will be their mode of attack?
- HOW do you defend against those specific attacks?
For example, the most probable threats to a government will likely come from foreign governments who want to hack them and steal their data. “They’re not going to ransom them or steal their money in the same way they will if targeting a bank,” explains Holloway. “Hackers aren’t interested in what the manufacturing looks like or even the data when it comes a bank or international FMCG, they want money.”
However, while the likes of Barclays or Johnson & Johnson are prime targets for a ransomware attack, smaller businesses will find themselves more likely to be targeted by small gangs of hackers via phishing schemes and weak passwords, looking for opportunities to make a quick buck.
So, it could be said that IT Compliance in itself is not important. You need to understand the bigger picture to properly evaluate your assets and the attackers targeting those assets. Unless you know why you’re being compliant with something and why you’re choosing a particular framework you won’t have the knowledge or tools to then pre-empt what the attackers are going to do. It’s not enough to be just compliant.