Cyber security: Adhering to regulations is not enough
Source: Middle East Insurance Review | Oct 2023
Freedom from cyber incidents cannot be guaranteed by checking regulatory compliance boxes. Compliance policies are standardised by design and creating personalised security policies on a case-by-case basis is not feasible on a large scale.
A new blog by data security and ransomware prevention company BlackFog posted on its website said that cyber criminals do not limit their attacks to the types of vulnerabilities the regulations address.
In fact, cyber criminals spend considerable time and energy developing innovative ways to bypass these defences, exploit compliance fatigue and compromise vulnerable systems.
Organisations often protect themselves from liability by demonstrating that they adhere to industry regulations, including federally mandated regulations like Health Insurance Portability and Accountability Act of the US as well as voluntary frameworks like The National Institute of Standards and Technology Cybersecurity Framework.
However, highly compliant financial institutions including healthcare providers and government agencies continue to fall victim to cyber attacks. BlackFog said if regulations alone could offer sufficient security, there would be far fewer headline-making attacks on major institutions.
The blog said less than 50% of large US companies are investing in cyber security even though 83% claim it is a major priority. This suggests that security leaders have become less motivated to proactively improve their security posture once they achieve compliance.
The opposite is, however, true of cyber criminal tactics, techniques and procedures. Ransomware gangs and individual hackers use a combination of automated software and highly customised attack vectors to target their victims. Security regulations give them a point of reference for constructing sophisticated attacks. M