Stop Playing Catch Up With Cyber Security Regulations
Category: News
Published: 19th July 2024
Cyber security regulators are constantly updating, amending, and writing new regulations in an effort to keep up with the dynamic advancements of cyber threats. These regulations seek to provide a framework that organisations can follow, to govern risk and safeguard business and customer data from misuse, theft, and unauthorised access.
However, there are some companies that fail to update their cyber security practices until compelled to act by law. If they can delay compliance until the last minute (or sometimes longer) then they often will. This is not always by choice, but because all businesses face competing priorities.
Unfortunately, this can mean that cyber security takes a backseat while other more urgent (but not necessarily more important) areas of the business are prioritised. Companies and regulators to-and-fro until regulations are watered down and extensions are given. Then businesses continue to do the bare minimum, resulting in lax cyber security measures that are more likely to lead to an attack.
The regulatory game of cat-and-mouse
The dynamic between businesses and regulators resembles a game of cat-and-mouse. After EU and UK governments implement cyber security laws, regulatory bodies like the UK’s Information Commissioner’s Office (ICO) advise and enforce them, ensuring companies are protecting sensitive data and maintaining privacy standards.
However, organisations frequently lobby for extensions or diluted requirements, arguing that the regulations are too stringent or difficult to implement in a short timeframe. As a result, deadlines are extended and regulations are sometimes weakened, leaving significant gaps in security coverage.
What’s more, failing to abide by cyber security laws can result in hefty fines from regulatory bodies such as the ICO. This cycle perpetuates a reactive approach to cyber security, where organisations are always on the back foot, rather than fostering a proactive security culture where cyber security is treated with as much importance as other business areas.
The consequences of procrastination
With rapidly evolving cyber threats, delaying cyber security measures can have severe consequences. But even then, up to 74% of companies view compliance as a burden rather than a helpful form of guidance and standardisation.
This procrastination leaves organisations vulnerable to attacks, as they may be operating with outdated security protocols and unpatched systems. The result is an increased risk of data breaches, resulting in financial loss and reputational damage. The longer companies wait, the more exposed they become, turning reactive measures into costly endeavours.
This approach directly led to the worldwide WannaCry ransomware attack. Organisations had continued to use unpatched software even though they had been told of the need to install an updated patch, leading to 200,000 PCs becoming infected in over 150 countries.
Shifting perspective
To break the cycle, companies must shift from a bare-minimum mindset to a security-first approach. Proactive cyber security involves staying ahead of threats by continuously updating security protocols, conducting regular risk assessments, and investing in advanced security technologies. Companies of all sizes can achieve this by adopting frameworks such as the National Cyber Security Centre’s (NCSC) Cyber Essentials, which can help organisations establish a solid foundation for cyber security practices.
Frameworks and standards across the board all highlight that fostering a culture of security within an organisation is crucial. Companies can start to build up a resilient cyber security environment through regular security awareness training for employees regarding cyber security best practices.
Organisations must encourage responsible behaviour and ensure that cyber security is a priority at all levels. By embedding security into the company’s ethos, businesses can better protect themselves and their customers while remaining on top of legal compliance.
Regulators and industry bodies must also shift their focus from merely enforcing compliance through fines and penalties to encouraging adoption by highlighting the advantages of strong cyber security measures. Increased resilience against cyber threats, enhanced brand reputation, and greater customer trust are all benefits that come from robust cyber security.
By following regulations and maintaining an adaptable and up-to-date security posture, organisations can better protect themselves and their customers while also utilising compliance as the strategic advantage it should be.