Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/9/2018
10:30 AM
Peter Merkulov
Peter Merkulov
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Compliance Complexity: The (Avoidable) Risks of Not Playing by the Rules

Achieving compliance is a challenging process, but with the right systems and customized data management policy, your organization can stay ahead of the next data breach -- and the regulators.

Data protection and privacy regulations affect organizations of every stripe. Whatever your business, if you have customers or employees, you have data that requires protection under some state or federal mandate. Such regulations are intended to ensure that proper precautions have been taken to protect potential victims of digital crimes such as fraud or identity theft stemming from malicious actors gaining access to data through hacking, technical malfunction, or human error.

Alphabet Soup of Laws and Standards
It's important to note before any discussion of regulatory compliance begins that following the rules doesn't guarantee your systems and data will remain secure. As the saying goes, "compliance is a floor, not a ceiling," and so meeting the minimum standards under the law should be regarded as a starting point. Where you take your information security program from there depends on your industry, the kinds of data your organization deals with, and its appetite for risk.

Data security and privacy regulations make up an expanding landscape made up of a long, overlapping, and often confusing alphabet soup of laws and standards like HIPAA, SOX, FCRA, GLBA, PCI DSS, GDPR, PIPEDA, and others. Security and risk management decision makers must understand the nature of these laws and set security strategies accordingly or suffer the consequences of falling short of their demands. It's not an easy task, but it is a manageable one when broken into its parts.

The first step of that process involves recognizing the ways (apart from blatantly ignoring the regulations) an organization might inadvertently fall outside the bounds of compliance.

Common Conditions That Can Compromise Compliance
The three most common conditions that can compromise a compliance program are the use and proliferation of so-called shadow IT (technologies that operate within the enterprise outside the purview of IT management); a failure to document compliance processes or enforce existing processes; and a lack of visibility into the means of collecting, managing, and storing data.

Certainly, there will likely be gaps in even the most rigorous of compliance programs, especially since compliance is a dynamic, ever-evolving endeavor. Laws change, technology changes, and the threat environment changes, so processes must change in response. Data management that includes security policies, training and awareness programs, technology maintenance, and regular systems and response testing is required. "Set it and forget it" is not a real option.

Consequences of Non-Compliance
Believe it or not, compliance saves money! According to a recent study from Ponemon and Globalscape, "The True Cost of Compliance with Data Protection Regulations," the cost of non-compliance to businesses now runs an average of $14.8 million annually, a 45% increase since 2011. The cost of compliance, on the other hand, was found to average $5.5 million, up 43% from 2011. It's clear that non-compliance puts your organization at greater risk of a data breach, and a data breach is certain to come with a steep financial cost as evidenced by the rash of well publicized data breaches since 2017 alone. Here are six ways a non-compliant organization might suffer in the event of a data breach:

Lawsuits
A data breach doesn't only affect the breached organization but may also put at risk the associated employees, consumers, customers, partners, and service providers — any of which may decide to take legal action seeking justice and protection. Win or lose, a lawsuit can be an expensive proposition.

Bank Fines
If credit card data is affected, banks may end up reissuing new cards to their customers. When that happens and the banks incur associated costs, they will likely seek to recoup those costs from the organization whose breach prompted the action by levying fines or added fees.

Governmental Audits
Any egregious breach of consumer data risks action by the Federal Trade Commission (FTC) acting on behalf of US consumers. If the organization was found to be out of compliance and negligent, the FTC may not only fine the company but also require expensive annual compliance audits for years following the negligent behavior. In April of this year, the Securities and Exchange slapped Yahoo with a $35 million fine for waiting two years to disclose its massive 2014 data breach in which Russian hackers stole personal information on approximately 1 billion user accounts.

Compensation and Remediation Costs
Among the many costs involved with a security failure are those associated with forensic investigations to determine the source and cause of the breach, fix the gaps that were exploited, and address any residual risk to consumers and others. Someone has to pay for free credit monitoring services, after all.

When Nothing Is Safe
A data breach may cause consumers to lose trust in the affected organization. When that happens there's a good chance that they will take their business elsewhere. Consider the number of retail security breaches in 2017, online or in stores, including Sears, Kmart (twice), Delta, Best Buy, Saks Fifth Avenue and Lord and Taylor (parent company Hudson's Bay), Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop, and Arby's. What's more, who can forget when cybercriminals hacked Equifax and stole the personal data of 145 million people, including Social Security numbers, not to mention Shadow Brokers, WannaCry, NotPetya, Bad Rabbit, and more.

Lost Reputation
When word of a data breach gets out, loss of reputation soon follows. To mend fences with all affected parties, organizations will incur costs associated with increased marketing, communications, and public relations campaigns. As the saying goes, a good reputation takes years to gain — but a moment to lose.

Data Management Matters
Given the risk of failure, it's important to implement a strong data management program as a part of an organization's security and compliance strategy. If you don't know what data you have, where it's stored, who has access, and how it is used, it's impossible to keep it secure — and to prove compliance. Data management provides a framework for understanding how information moves through the enterprise. It helps with security and compliance in three primary ways:

1. Workflow and Process Automation
Human error continues to be one of the weakest links in the security chain. Workflow and process automation remove the human factor from many tasks that might otherwise be vulnerable. Automating processes associated with vital applications and services, and doing so while the organization's security and compliance functions operate in the background, lets users focus on their jobs while giving management greater peace of mind.

2. Centralized Control and Visibility
Not knowing what's happening in your network is unsettling — and can mean the enterprise is at risk of a breach. As networks grow more complex and as perimeters expand to include mobile devices, the cloud, and more, IT administrators need even greater levels of transparency into the network in order to gain a top-down view of the infrastructure that's required to achieve compliance and mitigate other security and performance risks.

3. Custom Compliance Profiles and Reporting
Every organization has its own set of regulatory expectations and challenges based on industry, size, risk appetite, and a thousand other factors. One-size-fits-all doesn't apply; specialized compliance tools offering customized data workflows and configurations ensure that, whether facing PCI DSS, HIPAA, SOX, or some combination of these and other regulations, a tailored profile and reporting structure is needed.

Related Content:

Peter Merkulov serves as chief technology officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering and quality assurance teams. Merkulov has more than 16 years of experience in the IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18568
PUBLISHED: 2019-08-20
The my-wp-translate plugin before 1.0.4 for WordPress has XSS.
CVE-2017-18569
PUBLISHED: 2019-08-20
The my-wp-translate plugin before 1.0.4 for WordPress has CSRF.
CVE-2019-15238
PUBLISHED: 2019-08-20
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field.
CVE-2011-5328
PUBLISHED: 2019-08-20
The user-access-manager plugin before 1.2 for WordPress has CSRF.
CVE-2014-10381
PUBLISHED: 2019-08-20
The user-domain-whitelist plugin before 1.5 for WordPress has CSRF.