2024 presents a stark reality: compliance-based cybersecurity just won't cut it anymore. Ransomware is evolving at breakneck speed, leaving regulations in the dust.
Imagine this: Your data is locked, operations are halted, and your bottom line takes a nosedive. All thanks to a sophisticated ransomware attack that bypassed your "compliant" cybersecurity measures.
In 2024, a risk-based approach to cybersecurity is no longer optional; it's essential. Ransomware is outpacing regulation, leaving businesses like yours vulnerable. Let's explore why now is the time to take proactive steps to protect your data.
But I Followed The Rules...
Picture yourself on a hiking trip. National parks are beautiful this time of year, but you know there can be dangers — like bears — and you want to be prepared. You assiduously study the park website’s trail maps and guidance on bear-attack prevention, and you pack your rucksack with the recommended bear spray and a change of underwear in case of an encounter.
Pulling in deep lungfuls of fresh mountain air, you enjoy a beautiful day of hiking out onto Mt. Ominous.
…And then you realize you forgot your cell phone, which had your map and GPS information. Now you have no idea where you are or how to get home, and it’s getting dark.
“But I followed the rules!!,” you shout, pathetically yet comically, into the void.
This cautionary tale shows the difference between two approaches to data resiliency: compliance and true cybersecurity. Pure compliance looks a lot like the errant hiker—you follow a set of general rules and hope that you (or your data) will remain safe. Sometimes, that works. But actual risk-based cybersecurity? That looks way different. Understanding this difference will be critical to protecting your business against ransomware in 2024.
Right now, we’re in a ‘calm before the storm’ moment in ransomware. According to Sophos, there has been a slight dip in attack rates compared to 2023, as well as some legal action against some of the more organized ransomware actors. But this is no time to let your guard down. Companies would do well to take advantage of this breathing space for what it is: a time to take a proactive approach and shore up their cybersecurity and data resilience defenses.
So, compliance vs. risk-based cybersecurity. What’s the difference, and why does it matter?
What is Compliance?
Taking a compliance-only-based approach to cybersecurity and data resiliency means letting compliance drive your data strategy. For example, a SaaS company operating in Europe will always have to contend with GDPR’s stipulations — if they don’t, they’ll face serious legal and financial penalties.
On the other hand, frameworks like NIST are voluntary—businesses can opt-in as they choose and face no binding repercussions for infractions other than reputational damage from not doing what they said they were doing.
While regulatory and security frameworks can be very helpful for establishing cybersecurity baselines, they usually cover a broad set of basics. The incentive of avoiding infractions or reputational damage will often inspire companies to stay aligned with the requirements. So, as more companies adopt cybersecurity frameworks and experiment with their implementation, it will likely give rise to a more global culture of cybersecurity practices.
For example, despite all its nonbinding bluster, the International Counter Ransomware Initiative 2023 Joint Statement from last year was encouraging because it showed several government entities worldwide acknowledging the problem of ransomware and taking the initial steps to address it.
But regulatory frameworks and policy initiatives alone are not enough to protect your company from serious data loss, let alone ransomware attacks.
Looking Beyond the Frameworks
The problem with these frameworks isn’t particularly technical, nor is there a question about their usefulness—they are a great place to start. But every company is different, and therefore, an optimal cybersecurity and data resilience program will look different to each company.
Regulatory frameworks provide general security guidelines and best practices — designed to be applied and consumed by a wide range of companies and environments. This is both their strength and their weakness.
Compliance expresses a universal standard but doesn’t consider the contextual elements unique to each company's cybersecurity and data resilience needs. Additionally, compliance frameworks are reactive and while a by-product of being compliant can be good cybersecurity, it is not always the case.
Conversely, risk-based cybersecurity is proactive while being compliant, and it takes into account the unique characteristics and needs of your company that may lie outside the scope of a particular compliance framework. For example, let’s say your SaaS company is using NIST’s cybersecurity framework. While its “protect” function covers access control and training, and you’ve implemented controls to address these requirements, human error can still creep through.
This is particularly true if a company is simply following these frameworks rather than applying meaningful controls with respect to its environment and culture. Not all anti-phishing training is created equal. It is important to use content that aligns with your company standards, policies, and unique risks. Keep in mind that human error can always happen.
Playing the Innovation Catch-Up Game
Another problem: innovation always outpaces regulation. Sadly, this maxim doesn’t only apply to legitimate businesses — ransomware actors are innovating and moving quickly, leveraging new ways of exploiting vulnerabilities that outpace protective controls and processes.
And GenAI will be gasoline on this fire. Risk-based cybersecurity incorporates a proactive and evolutionary approach to protecting your company’s data that is always seeking to improve existing controls and practices among your staff. Compliance is a good first step on this journey, but don't stop there, you want to continually evaluate and mature your security posture taking a risk-based approach.
Bridging the Gap
When companies realize compliance isn’t enough, they often wonder how to take the right steps to take a risk-based approach to cybersecurity. Often, companies feel spurred to introduce additional tools for protection and detection; each meeting custom needs for emergent threats.
This is certainly important, but I always encourage companies in this position to take a step back and consider whether they have the fundamentals in place that support a defense-in-depth approach, including the often-neglected response and recovery capabilities.
Having strong response and recovery capabilities is very important as part of your defense-in-depth strategy. Consider for a moment the cyber and ransomware attacks that have happened over the last year. Do you think that the companies making the headlines did not have protection and detection tools and processes in place? Of course they did, but the reality is that those tools and processes do not catch everything.
Breaches and ransomware still happen, so it is important to have strong recovery capabilities to resume operations and recover data at scale across your organization. Often, the best place to start is by looking at your endpoint backup and recovery capabilities. This is one of the simplest and most effective ways to take the sting out of a ransomware attack.
If you have a functional cloud-based backup and recovery platform covering your business, you can have peace of mind knowing that your data is secured, stored off-site, and available for recovery when you need it most!
If this sounds dead simple, you might be surprised to learn how many organizations have gaps in this area due to the use of cloud collaboration platforms (CCPs) for primary backup and recovery of endpoint data.
For example, although SaaS applications have become standard in modern business, not even one in five companies are backing up their SaaS data, and CCPs are reliant on user behavior to backup data, and even then, there are limits on retention duration, file size, and security.
So, before pushing off to new and innovative approaches to combating ransomware, I’d recommend evaluating your data resilience posture for critical gaps due to process and tool misuse.
Don’t Stop at Compliance
Compliance is a starting point and provides a framework for uniform and good security practices. However, risk-based security and data resiliency are journeys that don’t stop with compliance. Compliance Software can help with vulnerability assessments, threat intelligence, and more.
Our world is changing, technology is evolving, attackers are innovating, and threats persist. This is why security and IT teams must incorporate ongoing, risk-based approaches to evolve and mature their cybersecurity and data resilience capabilities.
Subscribe to The CTO Club's Newsletter for more compliance and cybersecurity insights.