It has been more than five months since the Dec. 31, 2017, deadline for government contractors to meet DFARS compliance. Businesses of all sizes are still feeling the pressure to implement a System Security Plan (SSP) and Plan of Action & Milestones (POAM). Failing to meet compliance means government contractors run the risk of losing contracts on the spot, legal action against the business, and suffering a data breach.
The question is, does your business take a “check-the-box” or “set-and-forget” approach to DFARS/NIST 800-171 compliance to prevent them from being punished, rather than focusing on its underlying goal of strengthening and managing cybersecurity?
If you answered yes, you are not alone. A great deal of Executives equate being compliant with being secure. Organizations that think compliance is a one-off shot are wrong. It isn’t. Compliance and cybersecurity are ongoing projects that don’t stop.
Rather than being the goal, compliance should be looked at as a good starting point to get organizations to move toward implementing best cybersecurity practices.
Cybercriminals are getting smarter and know that smaller organizations don’t have the same level of cybersecurity defenses than multinationals. This is especially true for government contractors that manage or have access to sensitive data and are an ideal target. If you think that compliance is all you need to fend off cyberattacks, here are the top three reasons why compliance is not enough for cybersecurity.
1. You have policies that aren’t designed to be actionable and end up on a shelf.
Making cybersecurity policies is a step toward becoming compliant, but not implementing these policies makes them mere tools. They are guidelines that are only useful if they are actionable, enforceable and not just made for the shelf.
2. Management isn’t invested in creating and leading a culture of cybersecurity. And, employees are not trained to be the first line of defense.
Human error is the #1 vulnerability for every business and in fact, 19 out of every 20 successful attacks
on enterprise networks arise from phishing according to the SANS Institute. This means employees are the first point of entry for cyberattacks.
Management plays a key role in creating a true culture of cybersecurity and provide the organization with adequate practical training (a combination of video and hands-on phishing simulations are best) to understand the risks and what they can do to be the first line of defense. It is also crucial for Executives to lead by example and not only undergo training, but also communicate its importance to everyone on staff.
3. Compliance is a static process to demonstrate that controls are in place and effective at a specific point in time.
Compliance is a process of assessing the cybersecurity strength and vulnerability of a business and to ensure policies are implemented. Later, they will be tested periodically to determine whether they are working at a specific point in time to maintain compliance. However, this does not necessarily mean they are effective in between testing.
For your business to be cybersecure, you need to have the right tools and processes to measure, monitor, and keep track of IT best practices.
One key to reducing the risk of the infinite and ever evolving cyberthreats today is to understand that cybersecurity is an ongoing process that is beyond being compliant to standards. Instead of worrying about the problems of the ever-dynamic sphere of cybersecurity, a very cost effective option is to outsource this to an expert that can guide you through the compliance lifecycle, from assessment to remediation and security management.
Photo Designed by Freepik