Skip to main content

Why cybersecurity and regulatory compliance are one and the same

compliance
(Image credit: Image Credit: Docstockmedia / Shutterstock)

Across any industry, cybersecurity and regulatory compliance are crucial areas for business leaders to keep on top of. Both present a set of diverse, rapidly evolving challenges, each with their own unique twists and turns. 

In the cyber world, stories about new ransomware attacks and new methods of compromising data appear on a weekly basis. Meanwhile, sectors such as technology, finance and healthcare face an ever-growing raft of regulation governing responsible business practices.

Given the time and effort needed to manage both cybersecurity and regulatory compliance, they are often considered by businesses to be two largely separate issues. To some extent, this stance is understandable: regulatory compliance means following a set of tangible, distinct guidelines and ensuring the company meets deadlines for new rules. In contrast, cybersecurity is more fluid, challenging organizations to react swiftly to new threats while proactively preparing for unknown future ones.

These differences mean that compliance is often prioritized over cybersecurity because it is seen as more urgent. Such a one-dimensional approach can pose problems in the long run, as a lack of adequate preparation for cyberattacks can lead to all manner of compliance issues. 

Below, we explore why businesses need to remodel their approach, and consider both cybersecurity and compliance as being two sides of the same coin.

Compliance is king 

Meeting compliance can be a hugely complex process, especially if a company operates in a heavily regulated industry. GDPR is the most famous example implemented in recent years, and is one that many organizations have fallen foul of in some way or another since it came into force in 2018. 

There are many other regulatory frameworks too. The financial sector is governed by requirements such as MiFID II and MiFIR; retailers must conform to guidelines of responsible practice set out by Trading Standards; and all UK businesses must ensure they follow rules of fair competition set out by the Competition and Markets Authority. 

Regulation is a complex web, and one that needs to be managed very carefully. This is why business leaders dedicate a significant portion of their resources to keeping compliant and staying abreast of any impending new rules.

A problem arises, however, when this is done to the detriment of cybersecurity.

Cyber: the stakes have never been higher

Cyberattacks have afflicted businesses and individuals for many years, but efforts to compromise sensitive data have reached new levels of intensity in recent times. Ransomware has become the modus operandi for a large number of criminal groups, given its propensity to wreak havoc and lead to lucrative sums of money being exchanged if a business opts to pay a ransom.

Recent examples of high-profile ransomware attacks are numerous. The Kaseya incident in July 2021 saw between 800 and 1,500 businesses around the world affected, while the Colonial Pipeline attack in May represented a concerted effort to target critical infrastructure in the United States. Hacker collectives such as REvil and RansomEXX have also gained notoriety, with attacks by some groups even being linked to state-sponsored actors.

The current state of play means organizations need to be better prepared than ever before. When considering that the theft of sensitive data is central to any cyberattack, it becomes clear that cybersecurity and compliance are intrinsically linked.

The bottom line is that poor security equals poor compliance. If a business fails to adequately protect its data and then falls victim to a cyberattack, the company will automatically be in breach of GDPR and likely other regulations specific to their industry. In short, good cybersecurity should be the bedrock of any compliance strategy.

Getting your cyber house in order 

First of all, it is vital that businesses think proactively when it comes to cyber. Essentially, any threat that people are talking about right now is already outdated, so the emphasis needs to be on preparing for unknown threats, as challenging as that may be. 

One key area to look at are the company’s privacy policies. These should be closely examined and stress-tested to ensure they meet the demands of the modern threat landscape, and renewed or refreshed where applicable. As part of this process, organizations should embrace measures such as encryption, strong access control and multifactor authentication.

Employees should be made fully aware of these new policies, and given comprehensive training to help them recognize threats – such as malicious emails or social engineering attempts – so they can learn how to avoid them. With watertight privacy policies in place, businesses can be confident that their practices are fully compliant with regulations.

Another area to consider is integrating privacy by design into all elements of the software development process. This should include imposing strict measures to govern coding practices, such as static analysis, better and more frequent testing, and banning the use of insecure API functions. This meticulous focus on security should also stretch to the organization’s software stack, which includes taking steps to build secure applications and containers. Again, such a diligent focus on privacy will help ensure companies consistently tick all the compliance boxes.

Finally, it is paramount that companies invest in the skills and technologies needed to make cybersecurity as strong as it can possibly be. This means taking on real experts to do the security jobs – not people who have only done short courses in cyber or people who do not have a passion for the role. Businesses should not be afraid to outsource these skills if needed, or automate some of the more mundane tasks so that more can be invested in getting the right people on board to work on the most complex tasks. The right talent will know not just how to maintain security at a basic level, but will also understand how it fits within the wider compliance context.

Striking the balance 

The time to consider cybersecurity and compliance as two separate entities is over. To meet the challenges of both, cyber must be a key pillar of any compliance strategy, and vice-versa. Neither can truly succeed unless the other is in good shape, so the emphasis should be on balancing resources so that both areas are covered. It requires work and commitment, but it is the only way to run a truly tight ship in an era of high-stakes cybercrime and strict regulatory requirements. 

Maciej Dziergwa, founder and CEO, STX Next

Maciej Dziergwa is the founder and CEO of STX Next — the largest Python software house in Europe. Founded in 2005, STX Next now have a team of over 350+.