Instead of considering data privacy/protection laws as a burden to go through the motions with, think out of the box!
When it comes to cybersecurity compliance it is easy to fall into the trap of treating the function as a white elephant: investing large amounts of money to appease governments but generating few other business benefits.
Of course, those laws and regulations by the authorities are there for a reason: to set minimum standards for cybersecurity and force organizations to boost their security posture.
Such collective compliance goes beyond improve security. It can also minimize the risk and costs associated with data breaches, and improve productivity and operational efficiency. In fact, when managed well, it can and should provide a positive return on investment.
Complying with cybersecurity standards can be more cost-effective in terms of time, money and effort than responding to a large-scale cyber security incident.
Fear of compliance audits?
According to a ThycoticCentrify-commissioned independent study of more than 900 global CISOs/Senior IT decision-makers, boardroom investments in cybersecurity were most commonly the result of an incident or fears of compliance audit failure.
Zooming in on the 100 respondents from organizations in Singapore and Malaysia, 94% received boardroom investment for new security projects in response to a cyber incident (60%) or through fear of audit failure (34%).
Fear aside, it is through successful compliance measures that help organizations enjoy risk reduction based on the potential cost of major breaches due to a cyberattack and/or major outages caused by a rogue employee with privileged access.
In fact, managing and stopping unauthorized privileged access is mandated under ISO 27001, requiring organizations to control access to information and to protect endpoint systems from malware, as does the NIST Cybersecurity Framework.
Privileged access management in detail
In the cyber compliance framework Privileged Access Management (PAM) solutions are key to organizations’ efforts to protect information and prevent unauthorized access. In particular, PAM:
- controls the privileges of admin accounts—the so-called ‘keys to the kingdom’—that adversaries target in order to gain full access to networks
- controls access to valuable or sensitive information by privileged users that are high value targets for cybercriminals
- solutions can support Endpoint Privilege Management to prevent the execution of unapproved programs and malware such as ransomware. IT research and advisory firm Gartner refers to this capability as Privileged Elevation & Delegation Management (PEDM). This enables intelligent allow, block and grey listing of functions on computer endpoints, and the revocation of local admin rights.
- provides transparency and auditability with Privilege Behaviour Analytics capabilities. PAM tracks the access of individuals in a holistic way, allowing specific instances to be monitored and flagged if anything seems suspicious. It creates an audit trail, allowing breaches to be spotted earlier and traced back to specific points of access.
With these PAM mechanisms, organizations greatly reduce the room for malware to run on and gain control of endpoint systems, and also limit the opportunity for compromised systems to be used as stepping stones to more valuable information assets.
Cyber compliance with good returns
In the past, organizations tried to restrict administrative privileges or revoke local admin rights without the right solutions often struggled. This is usually because they tried to force users to change their behavior; making it more difficult for them to do their jobs.
However, approaching that cyber compliance correctly can extract returns on the costs. Productivity and user experience are also improved. For example, with a well-designed PAM solution, accessing a large number of privileged accounts requires users to log in just once, with the single sign-on feature. They are also relieved of the burden of managing the passwords for each account.
With the revocation of local admin rights, the right PEDM solution can make a huge difference to productivity. Instead of a blanket approach to withdrawing admin rights, access to systems and applications can be controlled on a case-by-case basis.
A PAM and/or PEDM solution should provide the ability to elevate access rights on demand. This allows users to run with admin privileges for short periods of time, subject to additional controls.
So, far from making it more difficult to do their jobs, the reality for most end-users is not having to worry about complex password policies, increased convenience accessing applications and cloud-based services, and less cyber stress.
The end result is a win-win-win: compliance with cybersecurity standards, an improved security posture that enables the organization to confidently manage the risks associated with new digital services, and users that are more productive and less burdened by having to follow cybersecurity policies.
It may be legally unavoidable and will come with cost concerns, but properly executed cyber compliance can really offer many benefits from a business perspective.