What Is Basic Cybersecurity, and Is It Enough to Simply be Compliant?

Last updated: May 9, 2024 Reading time: 6 minutes
Disclosure
Share
Cybersecurity, And Is It Enough To Simply Be Compliant
What Is Basic Cybersecurity?

There is no formal definition for essential cybersecurity, but based on how most organizations perceive the phrase, it is about employing reasonable protection from various attacks. It entails the establishment of a sound security posture that considers the new developments in the cyber threat landscape.

However, with the rapidly evolving and overwhelming volume of cyber attacks the modern world faces, many believe the basics are no longer enough. Deploying standard security controls and providing baseline cybersecurity orientations may not suffice.

What basic cybersecurity means

There are no established guidelines or rules as to what constitutes essential cybersecurity. However, the FTC and the National Institute of Standards and Technology (NIST) provide guidelines that can serve as exemplary benchmarks for crucial protection. These guidelines can serve as an excellent basis for determining essential cybersecurity.

The FTC Cybersecurity for Small Businesses outlines several guidelines for protecting businesses from cybercriminals. These can be summarized as follows:

  • Regular software updating
  • Data backups and secure data storage
  • The use of passwords across devices
  • Multi-factor authentication
  • Encryption for devices that contain sensitive information
  • Wireless network protection

Meanwhile, the National Institute of Standards and Technology of the US Department of Commerce provides a cybersecurity framework to reduce cyber risks for businesses and protect their network and data. It focuses on five areas: threat identification, protection, detection, response, and recovery.

To ensure proper threat identification, NIST says that organizations should list all equipment, software, and data and develop policies on the roles and responsibilities of the users of these assets. Measures should also be in place to limit the damage of an attack.

On the protection front, the NIST framework calls for the use of security software for data protection, regulation of network access, regular data backups, regular and automated software updates, and sound policies for the safe disposal of electronic files and devices that contain data. Additionally, everyone in the organization should also have adequate cybersecurity training.

NIST says that organizations should monitor computers and networks for possible unauthorized access or connections regarding detection. It is also crucial to investigate unusual activities on the web.

For the response part, NIST prescribes plans for notifying customers, employees, and others who might be affected by an attack. There should also be a plan for ensuring business continuity or the prompt restoration of operations. Additionally, organizations should have pre-arranged courses of action to investigate and contain an attack, update cybersecurity policies in response to an attack, and prepare for inadvertent events.

Lastly, organizations need to have strategies for recovery. NIST says that there have to plan for repairing and restoring hardware and software after an attack. It is vital to have a disaster recovery plan, as no cybersecurity system can ever be perfect. It is impossible to prevent all cyber assaults from penetrating an organization’s defenses.

When the basics are not enough

Complying with the guidelines laid out above would seem adequate, considering how they cover virtually all aspects of cybersecurity. From threat identification to remediation and recovery, the established guidelines address all the critical concerns.

However, following guidelines is often not enough. As cybersecurity expert Kerry Bailey emphasizes in a Forbes Technology Council post piece, compliance does not equal cybersecurity. “A company can be 100% compliant and yet 100% owned by cyber criminals,” Bailey notes.

In October 2020, for example, Barnes & Noble informed its customers that it suffered a ransomware attack that led to a data breach and the inability of customers to access their libraries. The attack also disrupted the company’s brick-and-mortar store operations across the United States as point-of-sale systems became inoperable.

Barnes & Noble is by no means negligent when it comes to cybersecurity. However, according to a CPO Magazine report, the company possibly fell for a phishing and social engineering attack, which made it possible to inject the ransomware into its system. Even the most robust cyber defenses become ineffective when people in an organization are tricked into doing a cybercriminal’s bidding.

Similarly, strong software defenses are insufficient when dealing with complex and persistent attacks like credential stuffing. This reportedly happened to around half a million Zoom accounts sold on the dark web. The cyber thieves behind the attack allegedly obtained the accounts using previously stolen credentials.

Zoom has been bolstering its security after various criticisms of its security policies over the past year. However, it could not have prevented hackers from hijacking the accounts of users who have the habit of using the same login credentials across different online accounts. The best the company could have done was to ask users to change their passwords and enable two-factor authentication after discovering the sale of stolen Zoom accounts and learning that there was no data breach on Zoom’s end.

Why sticking to guidelines does not suffice

It baffles many why compliance with security standards and guidelines is insufficient for reliable cyber protection. What’s using these standards if complying with them does not guarantee safety?

Security standards are not useless. They help organizations in addressing many possible vulnerabilities and new threats. However, these standards are unlikely to match the most recent technical threats. They are not updated as swiftly as cybercriminals evolve their adversarial tactics and techniques. It takes time for standards-creating bodies to introduce updates that reflect the rapid changes in the threat landscape.

Another problem with cybersecurity dependent on compliance with guidelines is the tendency of different parts of an organization to be siloed. Instead of working with other departments or units, the guidelines are seen as checkboxes that individual units try to tick according to their pace and capabilities.

The fixation on compliance makes department heads focus on achieving specific goals without contextualizing threats on a larger scale or a macro level. There is no motivation to cooperate with other departments to understand the nature of threats better and collaborate to put in place a more solid cybersecurity strategy.

Even though security guidelines are comprehensive, it is still possible for bad actors to exploit weaknesses that are bolstered by the lack of coordination among the different units of an organization. Companies can employ state-of-the-art security software or cloud-based platforms, for instance.

Still, they could not adequately plug the holes exploited by social engineering attacks without an inter-organization cybersecurity strategy that involves sharing knowledge and an openness to implementing changes in policies, protocols, and processes to close down security loopholes.

Conclusion

Essential cybersecurity is not necessarily worthless. The points raised here should not be mistaken as arguments against following security guidelines and standards. However, organizations need to go beyond the basics, especially when coordinating with other departments or units of an organization, and actively pursue the most up-to-date cyber threat intelligence and strategies to be more prepared in dealing with cyber attacks.

Share this article

About the Author

Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in: Computer.org, Nordic APIs, Infosecinstitute.com, Tripwire.com, and VentureBeat.

More from Iam Waqas

Related Posts