Blog
3 Reasons DFARS Compliance Does Not Mean Security
It has been more than five months since the Dec. 31, 2017, deadline for government contractors to meet DFARS compliance. Businesses of all sizes are still feeling the pressure to implement a System Security Plan (SSP) and Plan of Action & Milestones (POAM). Failing to meet compliance means government contractors run the risk of losing contracts on the spot, legal action against the business, and suffering a data breach.
The question is, does your business take a “check-the-box” or “set-and-forget” approach to DFARS/NIST 800-171 compliance to prevent them from being punished, rather than focusing on its underlying goal of strengthening and managing cybersecurity?
If you answered yes, you are not alone. A great deal of Executives equate being compliant with being secure. Organizations that think compliance is a one-off shot are wrong. It isn’t. Compliance and cybersecurity are ongoing projects that don’t stop.
Rather than being the goal, compliance should be looked at as a good starting point to get organizations to move toward implementing best cybersecurity practices.
Cybercriminals are getting smarter and know that smaller organizations don’t have the same level of cybersecurity defenses than multinationals. This is especially true for government contractors that manage or have access to sensitive data and are an ideal target. If you think that compliance is all you need to fend off cyberattacks, here are the top three reasons why compliance is not enough for cybersecurity.
1. You have policies that aren’t designed to be actionable and end up on a shelf.
Making cybersecurity policies is a step toward becoming compliant, but not implementing these policies makes them mere tools. They are guidelines that are only useful if they are actionable, enforceable and not just made for the shelf.2. Management isn’t invested in creating and leading a culture of cybersecurity. And, employees are not trained to be the first line of defense.
Human error is the #1 vulnerability for every business and in fact, 19 out of every 20 successful attacks on enterprise networks arise from phishing according to the SANS Institute. This means employees are the first point of entry for cyberattacks. Management plays a key role in creating a true culture of cybersecurity and provide the organization with adequate practical training (a combination of video and hands-on phishing simulations are best) to understand the risks and what they can do to be the first line of defense. It is also crucial for Executives to lead by example and not only undergo training, but also communicate its importance to everyone on staff.You might be interested in our post: 3 Keys to DFARS/NIST 800-171 Cybersecurity Compliance>>