If you’ve ever rowed a boat with someone else, you know that it’s very difficult to make progress if two people are rowing in different directions. Imagine if you could add a third rower trying to pull you off in another direction entirely. According to a new report, that is the situation many organizations find themselves in when it comes to cybersecurity and compliance. The IT, Legal and Compliance teams all have a role to play, but they have different priorities and often conflicting agendas.
The report, “Surprising Disconnect Over Compliance and Secure Web Use at Financial Firms” from Real Time Research Reports, was sponsored by Authentic8 and reveals data gathered from 163 senior-level compliance, legal and IT managers from financial services firms or law firms with clients in the financial industry. It illustrates some of the challenges that organizations face and provides some insight and guidance to help address the problem.
“What’s perplexing to me, with data breaches and privacy violations at an all-time high, is how deep the divide still runs between IT, compliance and legal professionals in many firms, according to these findings,” noted Scott Petry, co-founder and CEO of Authentic8, in a press release announcing the report.
It makes sense, to some extent. Each of these three teams serves a different function and brings a unique perspective to the table. “These three groups are working on the same problem, but they have different views of what the main problem is,” said Michele DeStefano, a law professor and co-founder and co-editor of the Compliance Elliance Journal, in the report.
That said, it is important that all three are rowing in the same direction. Whether you have a large enterprise or a company with fewer cybersecurity and compliance resources—or “less accessible” IT departments, as the report calls them—there are three key strategies that can help organize and coordinate the efforts of these three teams for more effective security and compliance: automation, secure web access and ensuring compliance for social media and cloud apps.
Automation serves two key functions. First, it reduces the amount of effort required by the teams involved—taking some of the routine tasks off their plates so they can focus on more important issues or innovative solutions. Second, automation helps ensure consistency because it ensures that the same process will be followed every time in exactly the same way.
Secure Access to the Web
The web is fundamental to business productivity for most organizations, but it also represents a significant exposure to risk. One source found that more than two-thirds of web-based attacks target flaws or vulnerabilities that could be used to launch targeted attacks against an organization, and a 2019 study estimated that more than 20% of web traffic is comprised of malicious bots.
At the same time, the web browser itself has become the main gateway through which web-borne exploits enter the local IT when users access the web. The browser is designed specifically to execute code from the web and does very little, if anything, to validate the reputation or integrity of the source. Organizations rely on web browser software that has typically not been tested or vetted in any way because the major browser applications are available for free. Many companies allow employees to choose their own browser software based on personal preference.
Companies in general—and businesses in financial services specifically—should take a closer look at how the attack surface the web represents and how employees access web-based resources and applications.
Central Management of Social Media and Cloud Apps
The risk posed by social media and cloud apps is an extension of the risk from the web. Social media and cloud apps are also web-based tools—but these tools increase the risks specifically for compliance. Regulatory mandates such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Payment Card Industry Data Security Standard (PCI-DSS) and others place requirements on organizations to ensure personal and sensitive data is adequately protected. Organizations need to have policies in place and a method of centrally managing and monitoring social media and cloud app usage to ensure there are no compliance violations.
Check out the full report for more detail. No matter how you look at it, though, it’s essential to coordinate the efforts of these three teams to work toward common objectives. Following these three strategies provides a solid foundation for more effective cybersecurity and compliance.