[Reading time: 2 minutes]
In my last email, I mentioned the dangers of assessing your defences on the basis of your alignment to regulatory guidance.
I recommended that, even when you are in a helicopter and checking your alignment to regulatory guidance, you should make sure someone is on the ground, checking that your organisation is not an easy target for an unsophisticated cyber crime.
What have I seen?
I remember being asked a few years ago by the board of a financial services firm to do a quick independent assessment of the organisation’s cybersecurity defences.
Everyone seemed confident that it was going to be a ‘tick-the-box’ exercise because the organisation had already worked closely with a well-respected consultancy firm to ensure they were fully aligned with the Central Bank’s Guidance on Cybersecurity.
I was shown the consultants’ report.
Their assessment was really excellent.
The report provided a detailed assessment of how the organisation aligned to each of the bullet points contained in the guidance.
And yet…
When I proceeded with my ‘tick-the-box’ exercise…
It didn’t take long to see that there were lots of ticks missing.
When I checked the health of some of their defences (e.g. software updates; anti-virus updates; Multi-Factor Authentication configurations; proven backups)…
There were clear and obvious gaps that would have enabled a range of unsophisticated cyber attacks to succeed.
The source of the problem?
The problem was not the quality of the work done by the previous consultants. As I said, it was excellent.
The problem was the scope of the work.
- The organisation focused on their alignment to regulatory guidance.
- The organisation did not focus on the well-known defences that can significantly reduce the risk of the majority of cyber attacks.
Why does this happen?
I have said before:
- What gets
measuredregulated gets done: We focus on regulations and ensure we comply with them. - What gets
measuredtested gets done: We focus on the questions that a regulator may test us on if they ever knock on our door.
But we can forget that cyber attackers are knocking on our doors and testing us far more frequently than any regulator.
So what?
Don’t let your concerns about regulatory compliance distract you from the more immediate risks of a cyber attack.
They are both important tests that we must pass.
But one is more urgent and more frequent than the other.
To put it another way…
Make sure you have a secure foundation before you worry about how your house looks from the sky.
If you want to understand more about what a Secure Foundation looks like, there’s plenty to read on my site.
And if you need 1:1 guidance, let’s talk.