How to Take the Confusion Out of Compliance

For 10 long years, war raged between the Greeks and Trojans over the abduction of Helen, the beautiful wife of Spartan King Menelaus, by Paris of Troy. The Greeks tried everything to break through Troy’s formidable walls with no luck.

Odysseus had an idea. What if they built a huge wooden horse, stuffed it with soldiers, and left it outside the city gates? Pretending to admit defeat, the Greeks left their “gift” and sailed home. Thinking the horse was a victory trophy, the Trojans hauled it inside the walls. And while they celebrated their supposed triumph, Greek soldiers popped out of the horse and overran the city. 

It makes one wonder — was Odysseus the world’s first hacker? Indeed, the term “Trojan Horse” has since become widely known as a strategy used by cybercriminals to snake their way inside your network to do you and your business harm.

Clearly, Troy’s citizens failed to understand the risk they were taking in accepting this “gift” dropped on their doorstep. It must have been a truly puzzling situation – who would’ve expected the Greeks to abandon their siege and depart, leaving behind this amazing gift?

City management didn’t have any policies in play to deal with this sort of thing.

I’m glad this ancient legend remains part of our vernacular, because it’s an easy-to-grasp way to understand today’s real dangers. Most cybersecurity content these days is complex, muddled technobabble.

Compliance isn’t really all that complex

Helping the little guy stay safe is why I’m so passionate about doing something different to cut through the confusion. I create content (videos, articles, haikus, and parody songs) designed to be entertaining, so people pay attention and inadvertently learn things that make them and their business safer from cybercrime.

So many people confuse the terms “cybersecurity” and “compliance” when actually, the distinction between the two is simple:

Cybersecurity is, “Oh crap, Russia’s hacking my network. How do I stop them?”

Compliance is lawyers or the Feds showing up saying, “Six months ago, Russia stole stuff from your network. Show us documentation proving you aren’t negligent.”

The good news is that taking the steps to move your company into compliance addresses cybersecurity at the same time. To me, this boils down to three simple rules:

Rule 1 – Get buy-in from the executive team

The executive team has to accept compliance as a reality. Reluctance is natural — I’ll bet when that giant horse showed up, the first to invite it in was Troy’s king.

It’s vital to have the complete buy-in of senior management. Compliance isn’t something you “sort of” do. It takes a shift in mindset and an all-out commitment. If you don’t have acceptance at the very top of the organization, it will never happen.

We have a client CEO who paid lip service to most of the cybersecurity things until it affected him. He didn’t want multifactor authentication, and his password to everything was Alabama7 so he “could remember it.” Well, his credentials got published on the Dark Web, and within 24 hours the entire firm’s emails were compromised.

(Pro tip: If you can remember a password, it’s a bad password. Use a password manager like Keeper or Dashlane.)

Fortunately, we had appropriate countermeasures and prevented further damage, but the firm had to send embarrassing notifications to all their customers because that’s what the law requires. (By the way, he approved MFA and those other changes pronto.)

Rule 2 – Get buy-in from the employees

The citizens of Troy fatally assumed that the walls of the city would keep them safe. They were complacent about the looming threat until it was too late. If Troy had prepared a documented security plan, and every citizen had been involved in it and trained on it, someone just might have recognized the Greeks’ wooden malware and saved the day.

They could have had “Screw Achilles” theme parties, eating Trojan pizza and educating citizens on the latest tactics of those sneaky Greeks. They could have trained on what to do if (when?) the walls got breached, how to respond in a crisis. Bards could have lampooned the Greeks in lyre-song, teaching Trojans how to recognize them. It wouldn’t have to be boring.

In World War II America, everyone did their part to contribute to the war effort. Remember Rosie the Riveter? Today is no different. We are literally in a cyberwar right now, and the way you do your part is by making yourself safer from cybercrime and teaching your employees. We are all in this together.

Compliance and cybersecurity used to make life for employees more complicated. “Sorry, it used to be two clicks, now it’s three clicks and you’ve got to pull out your phone for every single job function.”

Now, thanks to improvements in technology and training, it can be much easier for anyone to keep their identity and data safe. And I’m excited it’s getting easier to do affordably.

Even though you give people tools and training, they still have to do the things. Each employee must understand that they have to play along, or they will be the person who brings down the entire business.

Rule 3 – Engage the professionals.

How do you take the confusion out of your health? You engage a doctor.

How do you take the confusion out of the law? Engage a lawyer.

Whereas the Greeks and Trojans consulted the Oracles and invoked their gods of Wisdom and War, Athena and Ares, you should consult and work with folks who know what they’re doing. I’ll stop short of calling us oracles.

You’re outclassed – which is why these laws exist in the first place. The enemy is just that good.

If you simply follow the rules of your compliance framework (HIPAA, FTC Safeguards, etc.), cybersecurity will take care of itself. Just do what the law says. If you’re not an expert, engage one.

Implementing compliance is much like the process of Troy’s founding. In the beginning, there were no defenses, only homes. After a few attacks from marauders, protecting themselves became an attractive pursuit. So, they set about building a wall.

The first iteration was the least impressive, just stacked rocks, but they had to start somewhere. Then they built a tower. Then they expanded the rock wall. Then they dug the wall down to bedrock. Then they replaced rocks with hewn stone, which fit together more tightly. Then they built watchtowers on the corners. Then they reinforced the gate. Then they built a citadel.

Building the wall took the Trojans a lot of time and cost them a lot of money, but it was worth it. They never stopped improving, and eventually the Greeks marveled that it had been built by the gods themselves. That wall kept Troy safe for a very long time, until the Greeks used social engineering to get around it.

Compliance is very much like Troy’s defenses. You’re constantly making changes and improving things. Fortunately, you don’t have to wing it like Troy did, because all compliance frameworks mandate a process to follow.

  • You must have a security plan.
  • You must do an assessment that identifies the things you’re not doing that you should.
  • And you just keep working through that process, those items, over time.

Although fewer people deny that cybercrime exists, or that it’s ever going to happen to them, cybersecurity isn’t cheap. It’s a cost of doing business that literally did not exist years ago.

It’s a game you have to play, but you need to know and understand whom you are facing. Imagine for a moment that you’re Troy, and you’re in a war. But, instead of the Greeks with horses, bronze weapons, and arrows, you’re fighting a World War II army. They have steel, internal combustion engines, gunpowder, tanks, mortars, rockets, howitzers, and airplanes.

It wouldn’t be much of a battle, would it? That’s what the hackers’ team looks like. So what does your team look like? Be honest … if it’s just you, you’re going to get squashed under the proverbial Panzer tank. You need professionals on your team because they’ve got professionals on theirs.

Just get started

Troy’s downfall could’ve turned out differently. What if …

  • They’d adopted a framework with policies on how to accept Greek gifts during wartime?
  • They had a plan for dealing with unexpected “surprises” from unknown entities?
  • They trained everyday citizens not to get suckered by something “cool?”

We’ll never know whether they could have avoided Bronze Age ransomware and its devastation. But we CAN resolve not to let that hard lesson learned fade into the dust of history.

Do SOMETHING. Just start. Compliance is not all or nothing. It’s about progress, not perfection. You must be compliant with the process and execute it in good faith.

Maybe you’re thinking, “We’ve done assessments and there’s more that we can do!”

I get it. Pick the things you CAN do this year. Then do them. Next year, your assessment will show them completed. Then work on what’s left. You’ll have documented that you understand the problem, use the right process, and take it seriously. It’s not that complicated.  

CEO & Chief CybertechnoLOLogist at | + posts

Ron is Chief CybertechnoLOLogist at SIP Oasis, an Alabama managed cybersecurity company. Ron’s passion is getting normal people to learn how to protect themselves from cybercrime, using humor and relatable stories, with zero techno-jargon — “EnterTraining.”