Organisations that store personal data are subject to various laws, regulations and policies to which they must adhere. Compliance bodies in various industries and regions include PCI-DSS, HIPAA, ISO, GLBA, FISMA, FCA, etc. However, most high profile data breaches are in organisations that are already compliant. Compliance does not equal security. Even encryption of data is insufficient guarantee against data breaches these days.
The cost of a data breach can be $145 or even higher, per record. Evidence shows that customers shun the brand following a high profile data breach – it can be calamitous for the organisation.
Although there is overlap, compliance and security are not the same. Conforming to security regulations can lead to complacency, lulling organisations into a false sense of safety – creating an illusion of security.
Compliance should be viewed as the minimum level, a baseline starting point. Often, a focus on compliance takes attention away from real security. Over reliance on regulations can detract from real security. Being compliant is no guarantee that sensitive data is safe from attack.
Compliance requirements lag behind the latest risks and solutions. Laws and regulations do not keep up with rapid advancements in threats and cyber attacks. Organisations that do only the minimum to comply, can still have considerable vulnerabilities. Some will experience high-profile data breaches which could put the very future of the organisation under threat.
Many companies, wishing to reduce expenditure on security, only go as far as compliance. In some instances, security could well improve if the expenditure was not spent on compliance elements, but rather on real security issues.
An illustration of the dynamic threat landscape is the Heartbleed vulnerability highlighted last month. Overnight it changed security priorities for organisations.
As threats evolve, so too do solutions. Take endpoint security for example. Typically, organisations are compliant when they install anti-virus to protect end points. However, as we saw last week, even AV vendors now acknowledge that most malware escapes AV. We have been saying for years that most new malware escapes AV detection (see for example here and here). To help protect from disaster on the end point requires measures that secure data even if the end point device is infected. Specific anti-key logging and advanced anti-phishing measures are an example of valuable security measures beyond mere compliance. It is by following best practices, being compliant-plus, that can provide the greatest risk-reducing returns on investment. Following best practices can also reduce legal liability.
Compliance should be viewed as only one aspect of the security ecosystem – a necessary first step. Once compliant, organisations need to prioritise their real security risks.