By Sanjeev Singh

CERT India, in its recent report, observed a 51% increase in ransomware attacks in the first half of 2022 compared to last year, targeting sectors such as IT, manufacturing and finance, among others . This is not surprising and matches other similar reports such as the Sophos State of Ransomware Report 2022, which saw 78% of sampled businesses in India affected by ransomware, with an estimated average cost of remediation of 2.81 million dollars per attack. IBM’s Cost of Data Breach Report 2022 reveals a similar cost of $2.32 million per breach in India, up from $2.21 million in 2021 and identifies compliance failures as one of the top reasons affecting the cost of a data breach.

The increasing number of cyberattacks and rising cost of data breaches have made privacy and information security a major concern for businesses in today’s data-driven world. Yet, it could be argued that many companies that have successfully breached have complied with industry standards. If so, does compliance still add value?

Compliance offers great value for companies beginning their cybersecurity journey or those looking to improve their maturity. It delivers significant business value by guiding the implementation of best practices, processes and controls. Here are some of the main benefits of security compliance for your business:

  • Build trust and reputation: Compliance with key industry standards and regulations demonstrates a company’s commitment to protecting its business and customer data. This builds trust in your brand and indirectly contributes to business growth. A single data breach can result in catastrophic reputation loss.
  • Enhanced Accountability: Standards and regulations require companies to implement processes to assign higher-level accountability for strategic cybersecurity risk management. They also guide access control mechanisms to protect data and resources in the environment by implementing frameworks and controls for enterprise-wide risk management.
  • Improved data protection: Most privacy and data protection regulations focus on three key areas; (i) obtain consent from the end user’s perspective; (ii) how long you keep the data; and (iii) how is the data used? A company implementing controls to comply with these regulations will need to improve its data management capabilities, including data discovery, data labeling, data retention, and data loss prevention. These controls not only improve privacy, but also improve operational efficiency.
  • Improved security: Standards and regulations provide guidance on the administrative and technical controls to be implemented. For example, the current ISO 27001 standard specifies 114 security controls divided into 14 sets of controls, which will increase to 93 controls on four themes in the ISO 27001:2022 version. Businesses implementing these controls will certainly benefit.
  • Consistency: For most compliance standards or regulations, a compliant company undergoes audits, certifications or recertifications every year. This maintains a minimum base level of security and aligns the attention of senior management as well as IT and Infosec teams to these requirements.
  • Avoid fines or penalties: Failure to comply with laws or regulations can result in hefty fines, especially if the regulations involved are HIPPA, GDPR, CCPA, etc. These fines can reach 4% of global turnover or 200 million dollars in the event of GDPR non-compliance. The ability to perform due diligence and compliance can potentially reduce fines in the event of a data breach.
  • Log management and monitoring: Most standards and regulations require companies to monitor security or data breaches. This brings great visibility into activities across the landscape and enables security teams to detect potential malicious activity as it occurs. Centralized logs also allow security teams to search for evidence of compromise after the incident or conduct proactive threat hunting before the incident.
  • Incident management: Despite all controls, there is no guarantee of 100% security. Security Compliance provides a consistent and effective approach to managing information security incidents, including communications regarding security events and weaknesses.

Compliance plays a crucial role in implementing a robust security and privacy program and provides the necessary guidance on what to do. However, conformities aren’t much help in determining how to do this. You can be compliant and yet vulnerable to a cyberattack; this is quite evident when we witness successful attacks against some of the major public and private companies. Compliance, by itself, is not adequate. The implementation of controls and their proper application are crucial. Compliance should not be treated as a static initiative and should never be seen as something a company can “set and forget”. As companies mature in their cyber defense, they would realize that annual certifications against these compliance standards might no longer be adequate. Additionally, the global regulatory environment is also rapidly changing and becoming more intensive, with higher expectations, leading to more granular and prescriptive guidance and enforcement measures. More than 80 countries around the world have adopted privacy laws and any company operating in or processing data from subjects in these countries must comply with them.

Modern challenges require modern approaches. Compliance must go beyond policies and procedures to enterprise-wide initiatives. Security must go beyond the historical requirements of ensuring business security and compliance with regulatory requirements to become a strategic enabler for businesses to improve customer satisfaction, drive innovation and growth, and reduce costs. Businesses need to move away from a tick-in-the-box approach to embracing compliance in letter and spirit by investing in the right team and tools to manage this complex and evolving environment. Security and compliance automation that enables continuous visibility and continuous compliance through automated discovery and response workflows would be one way to achieve this.

The author is Chief Information Security Officer (CISO) and Data Protection Officer (DPO) at Birlasoft.

Disclaimer: The opinions expressed are those of the author alone and does not necessarily endorse them. will not be responsible for any damage caused to any person/organization directly or indirectly.