Even with top-notch security in place, failures are inevitable.
Though businesses strive to limit damage, an unlucky few could find themselves defending their security in a courtroom, regulatory hearing, or before the board of directors.
Add in budget constraints, and difficult decisions must be made. From the smallest in-home business to the largest bank, choosing how to prioritize and establish IT systems and security is crucial.
But, under the blinding lights of hostile legal scrutiny, will these choices stand up?
In the safety of an office, tactics are justified by showing that we meet compliance requirements, or achieve some security objective.
However, making sure those tactics are defensible takes planning and testing.
Compliance vs. Security
Compliance and security both strive for the same goal: safety. That being said, the two mindsets are certainly not the same.
Worse, the different perspectives of these frameworks can result in strange conflicts. Although an organization might be compliant, that doesn’t make it secure, and vice versa.
Governments and private organizations alike create standards and regulations that attempt to clarify goals and protect specific interests. Following these would make an organization compliant.
Security, however, is more difficult to define. This is because it requires such a wide variety of IT practices and technologies, to protect networks, hardware, and data.
Regulations typically use industry-standard frameworks as their basis, and are slow to change. For example, some compliance regulations require endpoint antivirus technology – even as the signature-based technology shows increasing weakness to combat modern attack methods.
Compliance requirements provide IT managers with justification for IT security investment. However, this can lead to conflicts when the standards require security measures irrelevant for the organization.
For a simplified example, if a company uses biometrics instead of passwords to access devices, they might find themselves in conflict with a compliance regulation requiring passwords of a minimum of eight characters. In this case, they might be secure, but not technically compliant.
Planning Future Defense
Everyone makes tough decisions about their IT systems and security.
But how many people consider these decisions with an eye towards defending them in a courtroom?
This perspective can drastically change the way we think about existing practices, as well as shift future priorities.
For instance: if an organization lacks requirements for password length and complexity and finds themselves hacked and sued, how will a lack of a password policy stand up in court?
The cost of a password manager, or at least an enforced password policy, is trivial compared with court costs.
For the company using biometrics instead of passwords, they may be secure but will need to prepare documentation to deal with compliance audits.
Whether in the courtroom or for a compliance audit, an IT manager documenting reasonable justification for decisions is off to a great start.
The Power of Testing
Using industry-standard practices and technologies incorrectly, or simply checking off the boxes in our compliance checklists won’t stop hackers.
Even the most powerful reasons for IT decisions won’t hold up in court if failure to implement that plan can be proven.
Newly discovered vulnerabilities can suddenly render previously secure networks open to attack. Unfortunately, “It was a new vulnerability,” is not an acceptable defense in the court of law.
Businesses must prove resilience in their security strategies that can withstand or counter unexpected threats.
Testing provides the proof. Organizations can use red teams to attack a security setup, verifying that it has been implemented correctly and sufficiently.
Organizations can take each IT system, perform stress tests or attack simulations, and use the results to document the system’s effectiveness. In this manner, exposed weaknesses can be found and corrected.
It is far, far better to find them in your own tests than to stand up in court after an attack, explaining why preventative checks never happened.
To protect against undiscovered vulnerabilities, there are two main techniques – testing recovery and monitoring.
Recovery tests verify that the organization can withstand both small and large disasters by proving how quickly backup systems can be brought online and backup data re-installed.
The Bottom Line
Network and cybersecurity monitoring provides ongoing checks that IT systems and security programs continue performing as expected, as well as early warning of unexpected problems.
And although monitoring and testing cannot guarantee complete security or success in a courtroom, they do provide proof that the organization has taken reasonable steps.
The cost of a courtroom battle can be sky-high. And if an organization is found liable for damages, a successful lawsuit can be crippling.
However, by making every effort to bolster security, and combining it with documentation, you’ll have a much better chance of defending a case. It’s not just good for your cybersecurity, it’s the right thing for your bottom line.
Ideal Integrations and Blue Bastion provides a full suite of red teaming, penetration tests and monitoring to help your team provide third party verification of your IT system’s status.
Call us today at 412-349-6680 or fill out the form below and we can provide the documentation to support your future defense.