The Obvious Partnership — Compliance and Cybersecurity
Cybersecurity compliance, like the compliance profession, is rapidly growing. The forces pushing cyber compliance are two-fold: the ever-increasing and changing nature of cyber threats and harms, and the logical application of compliance strategies.
Compliance has to work closely with in-house corporate information technology. To the extent a company outsources information technology to a cloud provider, compliance will serve an even more important function in coordinating with the cloud service to ensure adequate prevention.
In designing a cybersecurity compliance program, there are a number of elements that have to be addressed. From a risk perspective, there are a few key points to beginning this process. As Verizon’s 2017 Data Breach Report (here), 75 percent of data breaches are the result of an attack from outside the organization. Approximately 25 percent are conducted by bad actors within the organization.
There are two significant weaknesses that are commonly exploited when a data breach occurs.
First, company employees are often victims of a phishing attack that results in the installation of software, and in many cases, malware. According to the Verizon Data Breach Report, 66 percent of malware was installed via malicious email attachments.
Second, companies often fall victim to hacking attacks because of stolen or weak authentication and password protections.
According to the Verizon Data Breach Report, nearly 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Interestingly, only 14 percent were the result of errors or privilege misuse.
Without glossing over all the other significant threats to a company and the cyber harms that can occur, there is an important point relating to compliance that should be made. The compliance profession is dedicated to the prevention of corporate harm. Compliance officers are trained to focus on proactive strategies to prevent employees from engaging in misconduct – thus, we see corporate compliance programs training employees, promoting a corporate culture of compliance, providing regular advice on compliance issues, and building in controls to prevent misconduct.
This same proactive strategy falls right within the core competencies of the compliance function when it comes to cybersecurity. If the company wants to reduce the risk of a cyberattack, the company has to provide compliance training, monitoring and accountability around controls needed to ensure that employees: (1) recognize phishing attacks and report them when they occur; and (2) maintain strong password and authentication protections to prevent hacking by exploiting authentication and passwords for access to company data.
Cyber threats can be mitigated by effective strategies that coordinate prevention for the organization and for individual employees. Of course, these new paradigm stretches to third-party risks because hackers have numerous avenues to attack a company and will look to exploit any cyber weakness. All of these risks are compounded by the ever-expanding Internet to include the Internet of Things. It is no wonder that corporate boards and senior executives complain of headaches and cascading risk scenarios to threaten real harm to the company.