By Sandeep Bhargava
For an organization, adhering to compliance standards such as the GDPR is an important step in protecting its business. The company must address critical controls around firewalls, passwords, encryption, malware, and access, and implement best security practices through a rigorous compliance process. In this way, the organization has incorporated some critical elements in its security program.
However, with today’s cybersecurity landscape evolving so rapidly, compliance alone is not enough to keep a company safe. It is time to focus on strengthening the security of your cyber infrastructure. If central internet protocols are fundamentally insecure and mobile devices continuously build on such systems, companies become more susceptible to cyber attacks.
Recently, many companies in India have been the victim of a number of cyberattacks, including the dreaded ransomware. According to a global survey by cybersecurity company Sophos, India recorded the highest number of ransomware attacks. It reportedly hit around 68% of businesses and made more than $ 76,619 in total ransom payments.
In March 2021, data presented to parliament by the Indian government showed that nearly 1.16 million cyberattacks were registered in 2020, a sharp increase of three times the number of incidents the year before. To prevent cybersecurity incidents from recurring, organizations must do everything in their power to ensure that their cybersecurity infrastructure can withstand such attacks.
Compliance standards are usually designed for a unique and specific purpose. For example, the Personal Data Protection Act, introduced in December 2019, mainly focuses on comprehensive protection of digital privacy. However, compliance standards are often limited to a specific area boundary or “enclave”. it may not necessarily protect critical assets, systems, and functions that are critical to an organization (outside of this enclave). Even within those boundaries, it is likely that organizations will still need to implement more extensive controls to improve the security of the overall environment in which they operate.
While compliance standards certainly address the goals of the compliance initiative for which they were designed, they are not intended to be used as the basis for an organization’s cybersecurity program. Therefore, it is imperative for companies to carefully review some of the following recommendations and assess whether they are right for them.
Integration of compliance programs into a risk-based framework
A risk-based framework focuses on understanding and responding to factors that can lead to confidentiality, integrity, and availability errors. This starts with controls that protect an organization from current or perceived risk scenarios. You can effectively leverage risk-based frameworks to build or improve your cybersecurity programs. Additionally, an organization can easily customize the design and implementation of specifications based on the risk.
When a risk-based framework is applied, organizations can create a more secure overall environment that goes beyond compliance. In addition, it will also help them to continuously stay current and relevant to deal with the challenges of a rapidly evolving security landscape, as it will be much easier to freely change controls based on risk factors that are important to them.
Regulations are often not updated quickly enough to ensure adequate security. Hence, combining the required compliance programs with a more thorough, risk-based framework is a much more optimal path.
Advantages of a risk-based framework approach
By implementing a risk-based framework, companies can:
- Thoroughly protect your most critical reviews
- Customize the controls to meet your specific security and organizational needs
- Take a more proactive stance on security
- Promote a resilient culture
- Organically improve your regulatory compliance attitudes
A risk-based approach to cybersecurity has all of these benefits and more based on its basic and pragmatic design. It is important to first understand what the most critical assets are and then respond to real-world risk scenarios that could affect those critical assets. This approach helps an organization find the right path towards proactive security that minimizes its threat landscape.
By encouraging employees to work with risk team members and share actual threats (coupled with a risk team that proactively searches for threats), the corporate culture becomes more resilient to changes in the external environment. This alone will help to improve the control position organically, which at the same time also supports the downstream regulatory compliance maturity.
Risk-based framework conditions to be taken into account
To effectively manage a cybersecurity program, organizations should implement a risk-based framework that may also help them maintain compliance. The three most popular frameworks, especially in India, include:
- The International Organization for Standardization / International Electrotechnical Commission (ISO 27001) is an internationally recognized standard that provides a risk-based framework for information security management systems (ISMS). It is designed to ensure the continued confidentiality, integrity, and availability of information and can be used by any type of organization that needs to manage the security of assets. You can also get certified in this context and thereby achieve various business benefits, such as: B. the maintenance of the current business, the acquisition of new business and the improvement of the general security situation.
- The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce tasked with researching and establishing standards for all federal agencies. In particular, the NIST Special Publication 800-53 defines the standards and guidelines for federal authorities to set up and manage their information security systems. Although NIST was established to provide guidance on how to protect government and citizens’ private data, this risk-based framework applies to a broad base of public and private sector organizations. For this reason, private sector companies can and have chosen to implement this framework or parts of it as part of their own cybersecurity programs as the industry’s generally accepted gold standard. The overall design of NIST 800-53 is business-centric, which means that controls are not as border-specific as other regulatory compliance programs.
- The Reserve Bank of India’s Cybersecurity Vision Framework is primarily designed for municipal credit unions, or UCBs. Given the heterogeneity of the UCB sector made up of different characteristics such as size, regions, financial health and digital depth, a unified approach is not the way to go. Therefore, the formulation of the cybersecurity framework for UCBs focuses on a phased approach, determined by the risk of their digital services, to ensure that those with high IT penetration or a wide range of payment services are raised to the same level as other banks Have more mature cybersecurity infrastructure and practices. Primary responsibility for implementing cybersecurity controls rests with the UCB board of directors.
When it comes to security management, organizations need to understand that cybersecurity is based on how the business manages risk. They also need to look inward to ensure that their employees are well equipped to deal with security incidents.
In this way, companies can adequately address all elements of their security concerns and relieve their internal teams. When this is accomplished, companies will be able to shift their focus to more strategic initiatives to help their businesses grow.
The author is Managing Director, Asia Pacific Japan