Securing your business requires more than just compliance

For an organisation, setting out to achieve compliance standards, such as the General Data Protection Regulation (GDPR), or Singapore's personal data protection act, is an important step towards protecting its business and reputation.

The company will have to address key controls around firewalls, passwords, encryption, malware, access, and implement security best practices through a rigorous compliance process. By doing so, the organisation will have addressed some crucial elements in their security program.

Organisations risk fines and penalties for not following laws and regulations. For instance, Singapore's Personal Data Protection Commission (PDPC) has strict policies for organisations when it comes to breaches. As of February 2021, the maximum financial penalty for data protection breaches has been increased to 10% of an organisation’s annual turnover or SGD1 million, whichever is higher. At the time of writing, the PDPC has imposed penalties on four companies for data protection breaches.

However, with a rapidly evolving cybersecurity landscape and threats becoming increasingly sophisticated, compliance alone is insufficient to protect an organisation. Businesses have become more vulnerable to cyber intrusions as threat actors continually look for ways to infiltrate company networks, especially with the prevalence of hybrid and remote working. Thus, the focus should now shift towards strengthening the security of IT infrastructures. Moreover, malicious cyber activities remain a concern amid changing business landscape and accelerated digitalisation brought about by the COVID-19 pandemic. A report from the Cyber Security Agency of Singapore (CSA) revealed an increase in cyber threats such as ransomware and online scams in 2020.

Compliance standards are typically designed for a unique and specific purpose. For example, the Personal Data Protection Act (PDPA) of Singapore introduced in January 2013 was primarily focused on protecting the personal data of individuals with respect to commercial transactions. However, compliance standards, often limited to a specific scope, may not necessarily protect key assets, systems, and functions that are critical to the business. It is likely that organisations may still require the implementation of more pervasive control to enhance the security of the overall environment in which it operates.

Although compliance standards certainly address the goals of the compliance initiative they were built for, they are not designed to be the foundation of an organisation's cybersecurity program. Organisations need to go above and beyond to secure their critical assets and data. Therefore, it is imperative for companies to carefully consider the following recommendations and assess if these are suitable for them.

Integrating compliance programs into a risk-based framework

A risk-based framework centres on understanding and responding to factors that can lead to confidentiality, integrity, and availability failures. This begins with controls that secure an organisation from present or perceived risk scenarios. They can effectively utilise risk-based frameworks to build or improve upon their cybersecurity programs. Furthermore, an organisation can easily tailor the design and implementation of specifications based on identified risks.

When a risk-based framework is applied, companies will be able to create a more secure overall environment beyond just compliance. Moreover, it will also help them stay current and relevant to effectively deal with challenges posed by a rapidly evolving security landscape. As such, it will be much easier to freely modify controls based on risk factors that are important to the business.

More often, regulations are not updated quickly enough to provide ample security assurance. Therefore, stacking required compliance programs with a more thorough, risk-based framework is a much more optimal route to follow.

Benefits of a risk-based framework approach

Implementing a risk-based framework approach allows organisations to:

• Protect their most critical assessments thoroughly

• Customise controls according to their specific security and organisational needs

• Take a more proactive stance on security

• Encourage a resilient culture

• Improve their regulatory compliance posture organically

A risk-based approach to cybersecurity delivers all of these benefits and more, based on its fundamental and pragmatic design. It is important to identify and understand what the most critical assets are first and then respond to real-world risk scenarios that could impact those critical assets. This approach will help an organisation get on the right path towards proactive security that minimises its threat landscape.

By encouraging employees to work with risk team members and understand how actual security threats work, organisations can cultivate a culture that is more resilient to changes in the external environment. This in itself will help improve control posture organically, which simultaneously supports the downstream regulatory compliance maturity of the organisation. To manage a

cybersecurity program effectively, organisations should implement a risk-based framework that also helps them maintain compliance where applicable.

When it comes to security management, organisations must understand that cybersecurity is grounded in enterprise risk management. Therefore, businesses must prioritise cybersecurity activities based on the risk management frameworks to achieve synergy between regulatory guidelines and security controls. Effective security controls are a key element of complying with data security regulations in Singapore. Thus, they must look at the internal processes to ensure that everyone within the IT infrastructure is well-equipped to handle security-related incidents. This way, organisations can adequately address all elements related to their IT security while helping ease some of the burden off their in-house teams. With a risk-based framework approach, organisations will be able to redirect their focus towards more strategic initiatives to help their business grow.