Compliance does not equal security
By Gerry Grant, Chief Security Officer.
Cyber Essentials, Cyber Essentials Plus, GDPR, ISO 27001, the list of different ways in which an organisation can show that they are taking cyber security seriously is almost endless.
However, it’s important to recognise that compliance with a standard does NOT guarantee that the organisation is secure. Achieving a cyber security standard is a great start, but this is only the beginning the journey.
It is all too easy to think that being compliant makes people safe and secure, but things change, especially in the world of IT and cyber security. Take for example your cars MOT. When you take your car to get MOT’d the garage runs through a series of checks to ensure that your car is road worthy at that point in time. When the mechanic issues the MOT certificate, your car meets the standard and is deemed to be safe to drive. However, the moment that you drive the car out of the garage, something may happen. You might run over a nail that punctures a tyre. Is your car still safe to drive? It still has an MOT certificate, so technically it is still compliant.
Maintenance is key
The same can be said with all the cyber security standards. The moment that an assessor says that you have passed the Cyber Essentials certification, your network is complaint. But what happens when you add a new computer to the network, or a new printer? What happens when a new member of staff joins your team? Have they been made aware of the policies and procedures and do they understand them? What happens when a new security vulnerability is released? These are all common occurrences in business and checking that they are being addressed is part of maintaining a good cyber security posture.
Compliance is only the beginning. Organisations need to be constantly aware of the changing landscape of their cyber security risk. These risks need managed on a regular basis, not just once a year when the auditor turns up.