#NSBCS.083 - Compliance ≠ Security…. Let’s Discuss
Source: NSB Cyber
Compliance ≠ Security…. Let’s Discuss
We hear it all the time in boardrooms, security forums and post-breach reviews:
“Compliance doesn’t mean you’re secure.”
And they’re right, it doesn’t.
Compliance is a framework, not a forcefield.
Compliance is not the technical controls implemented to block ransomware, stop insider threats, or prevent credential stuffing attacks. It is the building blocks to ensure that organisations have the appropriate baseline (meaning processes, controls, and accountabilities) to manage risk in a consistent, defensible way.
ISO 27001, NIST CSF, GDPR, PCI DSS, APRA CPS 234… these aren’t magic bullets, but they do force questions that some teams wouldn’t otherwise ask.
“Have we defined our risk appetite?”
“Can we demonstrate that we’re managing supply chain risks consistently?”
“Do we actually know what data we hold… and where?”
When implemented meaningfully, compliance can help identify gaps, foster cross-functional collaboration, and keep security on the agenda in rooms where it might otherwise be sidelined.
The problem is when compliance becomes the ceiling, not the floor.
Tick-the-box audits and passive policy templates dilute the purpose. Not because the frameworks are flawed, but because they’re not implemented with intent.
Security is context-driven. Compliance helps ensure your house has doors and locks, security is knowing which doors matter most, and whether someone’s already inside. You need both.
So the next time someone says “compliance isn’t security”, agree with them. Then ask: “How is your compliance program helping you improve security outcomes, not just report on them?”
—
We help organisations turn compliance obligations into an opportunity to strengthen their security and risk management capabilities, without losing sight of what matters most - the needs and context of the organisation. If you’re navigating the alphabet soup of frameworks and trying to stay secure, let’s chat about what’s right for your organisation - book a call with us today.
What we read this week
Fake News Sites Impersonating CNN, BBC, and CNBC Used in Widespread Crypto Investment Scams - Cybersecurity researchers have uncovered a massive campaign involving over 17,000 fake websites mimicking reputable news outlets like CNN, BBC, and CNBC to promote fraudulent cryptocurrency investment schemes. These deceptive sites, active across more than 50 countries, feature fabricated articles with endorsements from celebrities and financial institutions, often advertised through sponsored posts on platforms such as Google and Meta. Victims are directed to sophisticated scam platforms where agents solicit personal data and cryptocurrency deposits under the guise of high returns, ultimately leading to financial losses and identity theft. Organisations are advised to educate users on verifying website authenticity, avoiding unsolicited investment offers, and implementing robust ad-blocking and anti-phishing measures to combat these evolving tactics.
CISA Adds Critical Citrix NetScaler Vulnerability to Known Exploited Catalog Amid Ongoing Exploits - The U.S. Cybersecurity and Infrastructure Security Agency has included CVE-2025-5777, a severe flaw in Citrix NetScaler ADC and Gateway appliances, in its Known Exploited Vulnerabilities catalogue due to active exploitation in the wild. This vulnerability, with a CVSS score of 9.3, stems from improper input validation, allowing attackers to bypass authentication, hijack sessions, and access sensitive information when the device is configured as a Gateway or AAA virtual server. Attacks have been observed since mid-June 2025, linked to groups like RansomHub, targeting organisations in sectors across the U.S., Europe, and Asia. Administrators are urged to apply patches immediately, terminate existing sessions, review logs for anomalies on authentication endpoints, and enforce network segmentation to limit lateral movement and mitigate risks.
UNC6148 Deploys Custom Backdoor on Patched SonicWall SMA Devices - A threat actor tracked as UNC6148 has been observed installing a custom backdoor named OVERSTEP on fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances since at least October 2024. The campaign uses stolen credentials and one-time password seeds to maintain persistence, enabling unauthorised access and potential data exfiltration. Limited victims have been identified, but the attack highlights vulnerabilities in legacy hardware. Organisations using affected devices are recommended to decommission them where possible, implement multi-factor authentication beyond OTP, conduct thorough credential audits, and deploy endpoint detection tools to identify and respond to such sophisticated intrusions.
China-Linked Hackers Escalate Cyber Espionage Against Taiwan's Semiconductor Industry - Cybersecurity researchers from Proofpoint and TeamT5 have reported a surge in targeted attacks by at least three Chinese-linked hacking groups on Taiwan's chip sector and related financial analysts, occurring primarily between March and June 2025, with some activity potentially ongoing. These campaigns, amid heightened U.S.-China tensions over chip export restrictions, involve phishing emails sent from compromised Taiwanese university accounts posing as job seekers, or fictitious investment firms, delivering malware via PDFs with malicious URLs or password-protected archives. Targeted entities include major firms such as Taiwan Semiconductor Manufacturing Co (TSMC), MediaTek, United Microelectronics Corp (UMC), Nanya Technology, and RealTek Semiconductor, as well as investment analysts at Asian and U.S. firms, aiming to steal intellectual property and supply chain intelligence. While success rates remain unclear, experts warn of persistent threats to the semiconductor ecosystem, recommending heightened vigilance against tailored phishing attempts, robust email filtering, and timely patching of vulnerabilities to safeguard critical infrastructure.
Anatsa Android Banking Trojan Targets North American Banking Apps via Google Play Dropper - ThreatFabric researchers have detailed the return of the Anatsa trojan in a North America-focused campaign, leveraging a legitimate file-reader app on the Google Play Store—downloaded over 50,000 times—to deliver malicious updates between June 24 and 30, 2025. The malware, disguised within a "PDF Update" feature, enables credential theft through overlay attacks and keylogging, remote control for fraudulent transactions, and deceptive screens like "Scheduled Maintenance" to evade detection. This marks the third such operation since 2020 focusing on U.S. and Canadian mobile banking applications, posing risks of account takeovers and financial losses. Mitigation strategies include monitoring for suspicious app updates, implementing app allowlisting, educating users on download risks, and deploying mobile threat defence solutions to block known indicators of compromise.
References
https://cybermaterial.com/fake-sites-push-investment-scams
https://thehackernews.com/2025/07/cisa-adds-citrix-netscaler-cve-2025.html
https://thehackernews.com/2025/07/unc6148-backdoors-fully-patched.html
https://www.reuters.com/sustainability/boards-policy-regulation/china-linked-hackers-target-taiwans-chip-industry-with-increasing-attacks-2025-07-16/
https://www.threatfabric.com/blogs/anatsa-targets-north-america-uses-proven-mobile-campaign-process