Another day, another security breach. So goes the news cycle, recounting stories of the ever-growing number of organizations being hit by cybercriminals. Attacks on companies big and small are now common as attack surfaces continue to expand.
It seems nobody is immune. The Cybersecurity and Infrastructure Security Agency (CISA) reported ransomware attacks against 14 of the 16 U.S. sectors designated as critical infrastructure.
Attacks have become more aggressive, more sophisticated, and more pervasive. In nearly every reported incident, companies were in compliance with regulatory requirements. While compliance is essential, it simply isn’t enough on its own to create an effective cybersecurity posture.
Compliance standards exist to create a minimum set of best practices for organizations to protect their cybersecurity. Meeting these standards helps them reduce risk by setting in place policies and controls that govern and protect intellectual property.
Failing to meet compliance regulations can have severe consequences. Not only does it become easier for cybercriminals to breach your systems, but noncompliant companies can also suffer significant losses from fines and penalties.
Noncompliance can severely damage your reputation. In some cases, it can even lead to criminal charges and jail time. If a breach does occur, not only will you be accountable for the damage but you may also face civil lawsuits for failing to take proper precautions.
Regulatory bodies take into account the most common threats but often lag behind the current threat environment. Just meeting compliance standards doesn’t mean your cybersecurity strategy is mature.
You can be compliant and not cybersecurity mature, and that’s dangerous. It can give organizations a false sense that they’ve mitigated the risk. The more mature organizations know that compliance is just the foundation for building a cyber secure infrastructure.
Mature companies may start with the NIST Cybersecurity Framework or ISO 27011 but add proactive security measures to reduce risk and improve cyber activity. For example, companies doing business with the government know that a low maturity level may prohibit them from contracting with government agencies. Department of Defense subcontractors must go through Cybersecurity Maturity Model Certification (CMMC) and will likely have to prove they are at CMMC Level 3 or higher.
We recommend the MITRE ATT&CK® framework to go beyond compliance and achieve a higher level of cybersecurity.
Just checking off the box for compliance standards is only the first step in improving your cybersecurity maturity. Without going beyond a compliance checklist, you’re leaving the door open for malicious activity.
Compliance requirements get outdated quickly. Cybercriminals are constantly evolving their tactics, techniques, and procedures (TTP), and compliance checklists simply don’t keep pace. If you’re just meeting these requirements, you might only be protecting yourself against tactics that are years or even a decade old.
Threat actors also know what’s in the compliance regulations, so they avoid the things that would flag their attacks. Security teams focused solely on compliance often find themselves fighting the last war when their adversaries are already using future technology.
Compliance is like building a two-foot fence around your perimeter. Cybercriminals know this, so they’ll simply bring a ladder to bypass your fence. If you stop at compliance, you’re putting yourself at significant risk. Organizations that do defense in depth will add additional layers of cybersecurity. They’ll add an eight-foot fence, a moat, 24/7 guards, and sophisticated advance warning systems.
Despite all of the cybersecurity strategies organizations put in place, most of the breaches you read about are identified by third parties outside the organization. Reports come from law enforcement, researchers, security companies, and cybersecurity bloggers that may see attacks in the wild before companies see them internally.
Without external resources many of these incursions might go unnoticed, IBM reports that it takes businesses up to 280 days to detect and contain a breach, and most breaches occur in companies that are already compliant.
The most secure companies will also add a more advanced layer of proactive cybersecurity: collective defense to expand their threat hunting and assessment. Rather than waiting for a fire to start and putting it out, collective defense focuses on finding the smoke before the fire breaks out. With anonymized exchange of threat information among partners, organizations increase their sphere of influence.
When one partner sees smoke, they investigate and report outcomes to the group. They help assess and triage potential warning signs and share the knowledge with the collective to make everyone stronger. Organizations benefit from more eyes constantly looking for potential threats to provide earlier detection for the broader community.
Compliance is a function of meeting regulatory and industry best practices, but it’s up to organizations to create a more mature level of cybersecurity that provides protection. Cybersecurity leaders are going well beyond just checking the compliance box, but building and optimizing security that protects critical assets allows for business transformation.
Stay on top of the latest evolving trends by signing up for IronNet’s Threat Intelligence Briefs.