Compliance does not equal security. Many organisations blur the distinction between compliance and security, and because the two concepts share common ground, many businesses believe that achieving compliance with industry regulations is the only measure needed to keep valuable data safe.
“This simply isn’t the case, and confusing the two issues can be a recipe for disaster,” says Robert Brown, CEO of DRS, a Cognosec company.
According to him, compliance isn’t an accurate representation of how businesses are using security to protect their assets. “Too often, compliance ends up being a question of going through the motions, implementing the bare minimum, and telling the auditors that all the boxes are checked.”
He adds that many businesses which house highly sensitive information have suffered a breach, despite being completely compliant and in line with regulations. “Take retail giant Target for example. Target was certified as meeting the standard for the payment card industry in September 2013, yet suffered a data breach that saw more than 70 million credit and debit card numbers being stolen, some two months later.”
There was also the case a few days ago, in which Ster-Kinekor’s old Web site, which was replaced last year, was found to have a security flaw which leaked the data of up to 6.7 million users. The vulnerability was discovered by local software developer Matt Cavanagh, who goes by the moniker RogueCode. According to him, the vulnerability allowed anyone to access profile details of users in the cinema giant’s system, including names, addresses, phone numbers, and plain text passwords.
This goes to show that compliant does not mean secure, it’s only a picture of how a company’s security posture is in line with legal requirements at any given time, explains Brown. “Target and Ster Kinekor haven’t been the only ‘compliant’ businesses to fall prey to hackers. Other international examples include Heartland Payment Systems and Neiman Marcus. Both businesses were compliant with the Payment Card Industry Data Security Standard (PCI DSS) showing that compliance really is no guarantee against an attack.”
Over the last few years in fact, several compliant businesses suffered significant and public intrusions. “In several cases executives’ heads rolled, and the businesses publicly committed to completely overhauling their security systems and practices. Others brought in a CISO as a further face of the company’s commitment to IT security.”
However, according to Brown, what is really key here is the understanding that both security and compliance are crucial to the business. “A thorough, layered approach to security that includes tools and solutions, operational controls, education, and policies, combined with a solid compliance plan is the best way to protect the organisation from attack.”
He says while this may be costly, it is far cheaper in the long run than a breach. “The Ponemon Institute’s Cost of a Data Breach Study 2016 revealed that the average consolidated total cost of a data breach is $4 million. In addition, the study reported that the cost incurred for each lost or stolen record containing sensitive and confidential information is now $158.”
And these are only the costs that can be measured. “There is also the danger of massive fines should a company lose customer data, not to mention the catastrophic costs associated with damage to brand and loss of customer confidence.”
Ultimately, to keep today’s environments safe, companies need to design and implement an advanced security programme that goes above and beyond compliance requirements. “Today’s environments are complex. There’s cloud to be taken into consideration, and the phenomena of mobility. Bring your own – whether it is a device or an application, also needs to be taken into consideration. Then there’s the Internet of Things, which sees every imaginable gadget being hooked up to the Internet.”
Reliance on compliance does not keep the business safe, it just results in the very lowest baseline of protection. “To properly guard against today’s sophisticated and complex threats, security must be a top priority and must have an all-encompassing approach that unites the different controls to provide a tight blanket of security,” Brown concludes.