If there’s ever been a good time to question your compliance, it’s now
Updated: Jan 25
As the business community is well aware, FireEye, the company that helps other companies identify the perpetrators of the most advanced cybersecurity attacks, itself fell prey to hackers. So sophisticated was the attack and so clever the timing that it was assumed to be the work of a nation state.
After a suitably large intake of breath for the sheer audacity of this, perhaps your thoughts, like mine, went something like this.
If FireEye is vulnerable, I am too
True. This incident serves as a large wake up call for all organisations that safeguard sensitive data. By sensitive we don’t only mean customer PII. It also includes financial, operational, R&D, trade secrets, and any data that’s subject to regulatory and control requirements. Like banking, finance and superannuation for example, which need to comply with APRA’s outlined standards for technology, process and risk management to be deemed acceptably ‘safe’.
How did they get in?
FireEye’s hackers went to extraordinary lengths to target them. They created thousands of net new IP addresses that had no connection with past attacks. They demonstrated an excellent knowledge of security operations in moving with stealth and evading detection within FireEye’s own systems. However, they still needed to operate within ‘gaps’, or vulnerabilities in the security armour of the corporate data environment.
The fact is, ap tolerance is shrinking fast, as the business world becomes more reliant on data stored in the cloud and greater volumes of business-critical information is accessible there through non-compliant infrastructure. If there’s a single piece of advice I can give to companies starting to question their confidence in the security of their data, it’s to do a gap analysis.
How do I know if my security strategy is right?
Again, it comes back to knowing where your vulnerabilities exist and that needs to be a part of a broader GRC (Governance Compliance & Risk) assessment. Guaranteed, you will find vulnerabilities lurking in non-compliant (often older) systems, making compliance a focal point. Building your fortress could be a simple case of fortifying your tech. Or there might be more to it, in terms of changing your processes, or your tech, to gain the ability to identify future vulnerability before it has impact. Either way, you can’t defend a crumbling castle. Checking for compliance gaps in your infrastructure must come first.
Using an independent third party is fast becoming mandatory by many of the regulators. But it also makes really good business sense when it comes to identifying compliance requirements as part of a larger corporate infrastructure. That’s because most companies are departmentally biased. It’s true! Each department conducts its own compliance exercise and checks the box without truly having a helicopter view of organisational compliance. It’s like constructing a path from bricks. Each one is perfectly intact, but laid on its own with no cohesive plan, you have a sure-fire way to leave gaps for the weeds to come through.
When you conduct an organisation-wide gap assessment to become completely aware of where noncompliance exists in your corporate landscape, you can choose when and how to close them. More importantly by integrating your risk management across the organisation, you can focus on what truly matters. There’s a world of difference between choosing not to act immediately on closing your gaps because you have weighed up your risk, and ignoring them completely, thus exposing yourself to goodness knows what. The former puts you in complete control of your risk framework.
How can I stay compliant?
Compliance requirements are shifting sands. Even when a security framework meets a compliance requirement, regulations can change on a dime. Even you can change, as an organisation. Hackers can develop new techniques that force transacting securely as a business into a whole new direction. That’s why GRC (Governance, Risk and Compliance) shouldn’t be viewed as a single act but an ongoing focus.
One of the best ways to do that without ploughing through your budget and resources in record time is to make smart decisions about compliance systems.
If you are wrangling data downloads within Excel spreadsheets to gain visibility of your organisation’s security posture and ability to comply with industry GRC mandates, then you can look forward to a truck load of cost, a regular drain on your resources, and a very large headache to boot, each and every time.
On the flip side, when you build a robust compliance environment, ongoing compliance becomes simple. Dare we say, easy?
When choosing a tech-enabled GRC strategy, ask yourselves:
● Does my GRC platform come with pre-configured Forms, Workflows, and Dashboards for common GRC processes and standards? These can be used ‘out-of-the-box’ to rapidly support specific process needs. For example, for capturing process inputs, such as GDPR, ISO 27001 controls, Risk Assessments or Third-Party Assurance questionnaires.
● Does my GRC platform support Organisational Groups? These allow you to centrally manage your permission structure and control access to compliance forms and other documents.
● Does my GRC platform support Tasks, Workflow, and Projects? Create these to support your company’s productivity and process requirements. Tasks can be associated with forms and let you assign individual actions to a person or a team. Workflows introduce automation that speeds up compliance. Projects help you track progress across the organisation, not just individual departments.
● Does my GRC platform have Dashboards? Don’t underestimate the ability to set up custom dashboards summarising relevant information relating to roles, permissions and projects, as well as delivering reporting and analytics to help you make important risk related decisions fast.
What’s the risk of not answering wake up calls like these?
We are living in a multi-cloud business world that has suddenly been thrown into a distributed workforce model as a result of the COVID-19 crisis. FireEye’s unfortunate incident proves there’s never been a better time to ask yourself whether you’re well-positioned to achieve and maintain good compliance across a complex cloud environment. And, in doing so, reduce your risk in an increasingly ingenious world of cyber threats.
If you want to talk about a gap assessment for your organisation, get in touch