Beyond Compliance; Tailoring a Fitting Security Plan for Your Organization

According to Dell Technologies in 2020, 90% of African businesses neglect cybersecurity protocols, leaving them vulnerable to cyberattacks. The constantly changing environment that today’s digital landscape presents has made cybersecurity a paramount business decision for organizations of all sizes and sectors. While compliance with regulations like the NDPR, GDPR, HIPAA, or security frameworks such as the ISO/IEC 27001 is crucial, it shouldn’t be the main driving force behind your security strategy.

Focusing solely on compliance ticks off required regulatory boxes, but such bare minimum choice can leave your organization especially vulnerable to threat tactics which are particularly targeted at exploiting gaps in security measures designed solely to meet compliance requirements.

Consider the infamous Equifax data breach of 2017, and the more recent one of January 2023, where the personal information of over 150 million people was exposed, including names, addresses, and social security numbers. The company was found to be compliant with several security regulations yet still suffered a massive security breach, leading to the massive privacy compromise of millions.

Latitude Financial also suffered a severe data breach in March 2023, with about 14 million customers’ records being compromised. One peculiar thing to note about the breach is that the organised initially misreported the approximate number of victims affected. This suggests that the organization had a very poor understanding of the breach, and also shows the level of their unpreparedness in dealing with possible security incidents.

Another example is the data breach that occurred at Dis-Chem Pharmacies in South Africa, also in 2023. The company, despite being compliant with POPIA (South Africa’s Protection of Personal Information Act), experienced a breach that exposed the personal information of millions of customers.

Citing prominent foreign incidents isn’t to say that Nigerian companies are safe. As a matter of fact, last year, as reported by TechCabal, Nigeria witnessed a disturbing surge in data breaches, with over 110 companies being investigated by the Nigeria Data Protection Bureau (NDPB now NDPC). As referenced by our 2023 Annual Cybersecurity Report, many organizations that were compliance-focused have still suffered ransomware attacks despite their efforts to adhere to regulations and standards. One notable incident involved a major player in an industry affected by an incident caused by the ALPHV group. This ransomware attack resulted in the encryption of all data on the affected server, demonstrating that even organizations with compliance measures in place are not immune to cyber threats.

These statistics showcase the growing threat landscape and the critical need for proactive security measures in Africa and beyond. They also go further to highlight the limitations of a compliance-centric approach and underscore the need for a more comprehensive security posture.

Building a Security-Conscious Culture and a Tailored Security Plan

A solid security plan goes beyond compliance. While compliance is essential, building a comprehensive security strategy is an investment in your organization’s future. This means engendering an atmosphere of security consciousness within your organization, where employees understand cyber threats, recognize potential vulnerabilities, and act responsibly to protect sensitive information. By prioritizing robust security measures and fostering a security-conscious culture, you can proactively mitigate risks, safeguard sensitive data, and build trust with your stakeholders.

Here are some key steps to building a security-conscious culture:

• Regular security awareness and training
• Leadership commitment to the organization’s security plans (top-down security governance approach)
• Establishment of security policies and processes with utmost adherence by all stakeholders
• Periodic review and updates of security plans, policies, and processes.

It’s extremely important to note that every organization has its unique needs and vulnerabilities, and different strategies come to play for each. A one-size-fits-all security approach is simply ineffective, and as such, it’s crucial to tailor your security plan to address your specific industry, data sensitivity, and risk profile. Remember, security is a journey, not a destination. We encourage you to partner with an MSSP such as ours to build a customized security plan that fits your specific needs and helps you stay ahead of evolving threats. Here at CyberPlural, we’re focused on helping organizations move beyond a compliance-centric mentality and build a truly secure future.

By Ayooluwa Oluwagbenga