Are reactive regulations hampering our ability to be proactive?

Is reactive compliance hampering our ability to stay ahead of attackers?

Cybercrime has become increasingly difficult to counteract in recent years; in part this is due to the rapid rate at which new technologies are being deployed. Accruing and storing data has never been easier thanks to advances in the cloud, but protecting that data from breaches has become more of a challenge. Similarly, as the IoT expands and AI takes on a larger role, more challenges will become apparent in time. If we want to stay one step ahead of attackers, why then are we predicating our regulatory approach only on the latest victories of hackers?

Typically, regulations do not come into force unless something disastrous has happened, or under mounting public pressure – which usually comes after a major incident has taken place. Even then, they can take years to be drafted, legislated, and implemented. Is this really the way we should be dealing with cyberthreats?

Regulations are vital to ensuring a minimum level of cybersecurity standards is achieved, but we must see them as just that: a minimum standard, the very baseline of our efforts. Regulations are a great foundation, but foundations are meant to be built upon.

Yet many businesses still aim to simply meet the latest regulations and stop there – conflating compliance with security. Since cyberthreats are continuing to evolve in severity and complexity, is our focus on reactive regulations hampering our ability to be proactive in the face of cyber threats?

The reactive approach

The General Data Protection Regulation (GDPR) is a prime example of how the current reactive approach to cybersecurity and compliance relies too heavily on achieving the bare minimum.

In a nutshell, while the Data Protection Act 1998 made it a crime for personal data to be accessed without consent, it did not hold anyone to account for failing to protect this data. However, the 2018 addendum, which was introduced to support GDPR, made this a specific offense.

Of course, these regulations were a common-sense move, protecting individuals from cybercrimes and data theft. But, considering data breaches had been happening since at least 1984, this was a reactionary measure, not a proactive one. And it’s no wonder, when you consider the pace at which legislation moves. The blueprint for GDPR was first conceived in 2011, yet it took seven arduous years to be implemented as law.

Regulations must also balance effectiveness and practicality; they are a realistic expectation of duty. Because these regulations can and must be followed by everyone, by definition, they are the minimum accepted level of protection.

While this is not to say that regulations are not needed or that they are useless, it is simply not prudent to see them as the end goal of our cybersecurity efforts.

Compliant or not, cyber breaches have the potential to cause huge financial or reputational damage to your organisation. Treating compliance as a tick-box exercise, or a checklist to complete before the audit, misses their point entirely. By focusing on reactive compliance, we are hampering our ability to proactively tackle new and evolving cyber threats.

The proactive approach

To take the fight to the hackers, organisations must embrace a more proactive style of working, just as we’ve seen in other areas of IT. DevOps has allowed organisations to swiftly deploy iterative updates with increasing regularity, and cybersecurity partnerships have empowered organisations to circumvent the skills gap, lessening the need for in-house experts. Businesses need to take the initiative and look beyond compliance.

Instead of waiting to be told what to do by the government or by regulators, organisations should look to industry best practices and cybersecurity benchmarks such as ISO27001. While these self-imposed rules can be more complex to implement, they will ultimately leave your organisation in a more protected state than any competitor still relying on basic compliance. This can put you at a significant competitive advantage when attracting and retaining customers.

Cybersecurity strategies and accreditations, like ISO27001, are also reviewed and improved with much more regularity than the law. Because of this continual improvement, these protocols have a reputation of being effective, even within the cybersecurity community.

Proactively meeting new accreditations and benchmarks, rather than merely keeping up with compulsory regulations, will help you stay ahead of attackers. Your organisation is going beyond what is required in order to ensure its safety, as opposed to completing the bare minimum and waiting for someone to ruin your day.

Synthesising reactive and proactive compliance

Of course, businesses shouldn’t drop reactive regulatory compliance entirely. Regulations are a reaction to something that has happened, meaning that this could happen again. If we were to apply the logic of ‘lightning doesn’t strike twice’ to cybersecurity, then the world might be a very different place.

However refusing to act proactively means failing to meet new challenges or lacking the oversight to prepare for instances of things that ‘could’ go wrong. It essentially translates to not taking cybersecurity as seriously as it should be.

Staying compliant with static regulations while also pursuing dynamic strategies based on evolving best practices can make companies better placed to defend against both established and emerging threats.

To learn more about how your cybersecurity could be improved by taking a more proactive approach, read our latest whitepaper ‘Beyond Compliance: Raising the bar on cybersecurity’ and take the fight to hackers, today.