Ever get the feeling that cyber criminals are always at least one step ahead of the authorities and the rest of us? That there is nothing standing between them and your company becoming the next Target, the next Home Depot, the next Yahoo? That it’s just a matter of time before the next massive data breach occurs, further destabilizing consumer trust in our cyber infrastructure.
You aren’t alone.
The simple fact is that we’re facing an unprecedented era in cybersecurity, one in which the criminals seem to -- at least for now -- have the upper hand on business and law enforcement authorities. As it is now, we’re permanently behind.
And the regulatory structure facing the cybersecurity industry is, in some cases, compounding the problem. By defining their security policies based on regulatory requirements, too many businesses are implementing policies that are months if not years out of date, leaving themselves vulnerable to hackers who are operating at a much higher level than today’s regulators.
Jim Kennedy, a senior sales and operations technology executive, addressed these concerns in a recent issue of CSO magazine, writing:
“With high profile security breaches continuing to hit the headlines, organizations are clearly struggling to lock down data against the continuously evolving threat landscape. Yet these breaches are not occurring at companies that have failed to recognize the risk to customer data; many have occurred at organizations that are meeting regulatory compliance requirements to protect customer data.
Given the huge investment companies in every market are making in order to comply with the raft of regulation that has been introduced over the past couple of decades, this continued vulnerability is – or should be – a massive concern. Regulatory compliance is clearly no safeguard against data breach.
Should this really be a surprise, however? With new threats emerging weekly, the time lag inherent within the regulatory creation and implementation process is an obvious problem. It can take over 24 months for the regulators to understand and identify weaknesses within existing guidelines, update and publish requirements, and then set a viable timeline for compliance. During this time an organization with a security strategy dictated by compliance is inherently insecure. Furthermore, these are catch all standards that are both open to interpretation and fail to address specific business needs or operational models – immediately creating security weaknesses.”
Here’s the problem -- technology moves far faster than any business or regulatory agency can ever hope to. For compliance officers, that means it is effectively impossible to outrun cybercriminals if all they are focused on is regulatory compliance. Regulations are simply behind the times as soon as they’re released.
What’s the answer for enterprises? Be vigilant. Be proactive. And more importantly, be smart. Just following the rules isn’t enough to protect you anymore.