5 Reasons Resilience Beats Compliance

Share This Article

Cyber-attacks are increasing in frequency, sophistication, and severity. They’ve increased 38% from 2021 to 2022 and hit an all-time high in Q4 2022 (Check Point Research, 2023).

With so many small and mid-sized companies having insufficient cyber protection, coupled with a belief that “it won’t happen to us,” there is a lot of low hanging, very profitable fruit for the bad guys.

We believe true cybersecurity protection is most quickly and effectively achieved with a “resilience first” approach. This prepares an organization to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and attacks. Attacks will always occur as there is no 100% safety guarantee in cyber. But a resilience first approach assures that if attacked, the damage will be minimal and getting back to business as usual is relatively painless as opposed to quite traumatic.

However, many business leaders think that compliance issues should be addressed first, and they invest in this time-consuming exercise at the expense of resilience. For some, regulatory requirements demand compliance, but compliance isn’t protection.

Compliance is like auto insurance, it eases some of the financial and operational pain of a crash, but it doesn’t prevent one.

Here are 5 good reasons a “resilience first” approach is a quick and effective way to build your company’s cybersecurity program:

#1 – Compliance is an illusion of protection

Compliance isn’t protection; it only means that regulatory standards have been met. Business leaders should never think to themselves, “we are compliant, so we are safe” because adhering to guidelines or regulations isn’t enough to prevent being a victim of cybercrime.

At the same time, being able to attain cyber insurance (compliance) means that a company has met the insurers’ strict requirements, which in turn builds resilience – a good thing. Most companies can’t get insurance anymore without having met many of the insurer’s controls, like universal implementation of multifactor authentication, an AI powered endpoint detection and response (EDR) tool, and proving they have a disaster recovery plan and program in place.

#2 – The regulatory environment is getting more complex and costly as the pull of compliance gets stronger 

May 2023 will mark the five-year anniversary of Europe’s General Data Protection Regulation (GDPR), a rule with global reach and which has cost organizations fines in the billions of dollars.  The California Consumer Privacy Act (CCPA) followed shortly thereafter, and many other states and countries have enacted similar laws, or they are in the process of doing so.

But being compliant with privacy laws and regulations is only good at solving two problems: compliance risk and avoiding fines. They are informative but not helpful to mitigating enterprise cybersecurity risk.

What’s more helpful is creating a culture of resilience characterized by security awareness, exceptional training, frequent employee testing, and tenacious vigilance.

#3: Compliance is not a cybersecurity strategy

…But it still passes for one at many companies. Being compliant only means that the business has met regulatory standards.

Pressure to comply with growing cybersecurity and privacy frameworks and regulations draws organizational focus away from the real goal which should be cyber resilience.

#4: The goal should be “resilience first” with compliance to follow

As previously noted, but repeated because it is so important, compliance only solves the issue of compliance risk and fines, which is not at all helpful when it comes to protecting an organization from cybercrime.

Resilience assumes that cyber-attacks will occur, but affordable and timely precautions are implemented to help companies respond to and quickly recover from those attacks. On average, the time to identify a breach is 207 days. That means the bad guys are in your network, sleuthing how to take your data and extort your money, for over 6-months! (IBM, 2022) A resilience first approach dramatically alters this equation because you’ve kept them out of your network to start with.

#5: Have a risk assessment done to determine your cyber resilience

All organizations that deal with technology and data should understand and identify the vulnerabilities and gaps that can lead to a cyber-attack.

An assessment will identify the assets that could be impacted – critical financial data, consumer and employee data, intellectual property on products and processes, and where that data resides – servers, laptops, and network hardware.

An assessment can reveal the financial and operational risks unauthorized access to those assets could create for the organization.  

So, does your team have the capability, capacity, and focus to do cybersecurity really well?

Only you can determine if you can build cyber resilience with internal resources, but here are 5 questions to ask yourself:

  • Do we really have the team and the tools? IT and cybersecurity skill sets are very different.
  • Can we build cybersecurity into our organizational culture?
  • Is cyber core to our organizational mission?  Note that the average downtime of an attack is 21 days (Coveware 2022). How does being out of business for three-weeks affect your mission?
  • Who really owns risk in our company? Does management believe that cyber-attacks can cause significant financial, operational, and emotional pain for the organization?

Be honest in your answers. If you can manage cyber internally, congratulations! If not, it’s mainly because cybersecurity isn’t easy and might be better left to a partner organization so your technical resources can focus on your core business.

A “resilience first” approach is affordable and can be ramped quickly. That effort and investment are essential for business survival in the information age. It’s also important to know that it’s OK to ask for help!

If you’d like to have a confidential conversation with one of our cybersecurity experts to improve your cyber resilience, we’re here to help.

About Fortress: 
Fortress Security Risk Management protects companies from the financial, operational, and emotional trauma of cybercrime by enhancing the performance of their people, processes, and technology.  

Offering a robust, co-managed solution to enhance an internal IT team’s capability and capacity, Fortress features a full suite of managed security services (24/7/365 U.S. based monitoring, cyber hygiene (managed patching),  endpoint detection and response (EDR), and air-gapped and immutable cloud backups) plus specialized services like Cybersecurity-as-a-Service, Incident Response including disaster recovery & remediation, M&A cyber due diligence, GRC advisory, identity & access management, threat intelligence, vulnerability assessments, and technical testing. With headquarters in Cleveland, Fortress supports companies with both domestic and international operations. 

In Case of Emergency: 
Cyber Attack Hotline: 888-207-0123 | Report an Attack: IR911.com  

For Preventative and Emergency Resources, please visit: