Compliance vs. protection – why the difference matters for your cybersecurity
By James Miller, Cyber Security Product Lead
Depending on your sector and the nature of your business, there are various government regulations, industry standards and cybersecurity frameworks that apply to your operations. The aim in every case is to create safe, secure IT environments that protect your organization and your customers’ private information. But compliance alone often isn’t enough to achieve that goal.
There’s a significant difference between compliance and protection. In this blog, I’ll outline those differences and, using distributed denial of service (DDoS) attacks as an example, I’ll explain the need to treat online security as more than just a box to check.
Decoupling compliance and protection
In cybersecurity contexts, compliance refers to adherence to the regulations and standards that apply to your business. These can be industry-specific or governmental and may fall under national or international jurisdiction depending on where you sell your products or services. Prominent examples include:
-
-
- Payment Card Industry Data Security Standard (PCI DSS)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- Europe’s General Data Protection Regulation (GDPR)
- The U.S. Health Insurance Portability and Accountability Act (HIPAA)
- ISO/IEC 27001: Information security, cybersecurity and privacy protection
- Cybersecurity Maturity Model Certification (CMMC) 2.0
-
Protection refers to the sum of the technologies, personnel and processes you have in place for cybersecurity, and how effectively these elements work together to detect and mitigate attacks.
Compliance and protection can differ by varying degrees, depending on how well-defined your compliance requirements are. The trouble is that the requirements listed in laws and standards often don’t go into enough detail or aren’t clear enough to result in sufficiently broad protection even if followed to the letter. That’s why you need to treat compliance and protection as separate matters – and get deeper insight into the nature of the threats facing your business and the solutions available to combat them.
Case in point: maximizing protection against DDoS attacks
Distributed denial of service (DDoS) attacks aim to disrupt businesses by sending large quantities of malicious traffic, all at once or gradually over time, to slow down or overload the corporate network or critical IT infrastructure. DDoS attacks are common and can significantly damage a business’s reputation and bottom line.
There are likely government or industry-wide security requirements that apply to your business related to DDoS attacks. However, a requirement could be as vague as just needing DDoS protection across your sites. You could put in place a DDoS solution that protects against volumetric attacks: those that send huge amounts of data in a short period to use up all your available bandwidth, preventing legitimate traffic from getting through. Your cloud service provider might even offer some kind of built-in DDoS protection that would technically make you compliant.
But there are more types of DDoS attacks than volumetric ones, and the DDoS protection included with your cloud service may not adequately defend against them all. For example, there are the increasingly common application-layer attacks, which exploit vulnerabilities in protocols like HTTP and SQL to slow or shut down websites and online services. These attacks can have serious impacts on your business. If you only look to satisfy a vague requirement of a regulation or standard, you may remain vulnerable to them.
DDoS attacks are also evolving constantly, becoming more aggressive and sophisticated. Regulations and frameworks can’t keep pace with the latest tactics. It’s up to your business to do what it must to stay protected.
To maximize your protection and minimize the impact of DDoS attacks, you should consider your DDoS defences more broadly. That means understanding the different kinds of attacks and what it takes to mitigate them and evaluating solutions on that basis (see our blog that breaks down the differences between edge, network and cloud DDoS solutions). It also requires putting the right technology, people and processes in place and ensuring they’re coordinated to thwart DDoS attacks as quickly and as efficiently as possible.
Protect your business with Bell
Your goal should be to go beyond just protection and into mitigation, which is about preventing DDoS attacks from reaching your network or services in the first place. To do that, you must treat compliance and protection as separate matters. It also helps to have a partner who offers the latest threat intelligence, word-class security solutions and end-to-end services.
Bell’s portfolio of cybersecurity solutions includes network, cloud and edge-based DDoS protection that provide 24/7 monitoring and can mitigate DDoS attacks quickly to keep your business online. Learn more on our DDoS security page or reach out to a Bell representative to discuss how we can help meet all your cybersecurity needs.