Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/9/2018
10:30 AM
Peter Merkulov
Peter Merkulov
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Compliance Complexity: The (Avoidable) Risks of Not Playing by the Rules

Achieving compliance is a challenging process, but with the right systems and customized data management policy, your organization can stay ahead of the next data breach -- and the regulators.

Data protection and privacy regulations affect organizations of every stripe. Whatever your business, if you have customers or employees, you have data that requires protection under some state or federal mandate. Such regulations are intended to ensure that proper precautions have been taken to protect potential victims of digital crimes such as fraud or identity theft stemming from malicious actors gaining access to data through hacking, technical malfunction, or human error.

Alphabet Soup of Laws and Standards
It's important to note before any discussion of regulatory compliance begins that following the rules doesn't guarantee your systems and data will remain secure. As the saying goes, "compliance is a floor, not a ceiling," and so meeting the minimum standards under the law should be regarded as a starting point. Where you take your information security program from there depends on your industry, the kinds of data your organization deals with, and its appetite for risk.

Data security and privacy regulations make up an expanding landscape made up of a long, overlapping, and often confusing alphabet soup of laws and standards like HIPAA, SOX, FCRA, GLBA, PCI DSS, GDPR, PIPEDA, and others. Security and risk management decision makers must understand the nature of these laws and set security strategies accordingly or suffer the consequences of falling short of their demands. It's not an easy task, but it is a manageable one when broken into its parts.

The first step of that process involves recognizing the ways (apart from blatantly ignoring the regulations) an organization might inadvertently fall outside the bounds of compliance.

Common Conditions That Can Compromise Compliance
The three most common conditions that can compromise a compliance program are the use and proliferation of so-called shadow IT (technologies that operate within the enterprise outside the purview of IT management); a failure to document compliance processes or enforce existing processes; and a lack of visibility into the means of collecting, managing, and storing data.

Certainly, there will likely be gaps in even the most rigorous of compliance programs, especially since compliance is a dynamic, ever-evolving endeavor. Laws change, technology changes, and the threat environment changes, so processes must change in response. Data management that includes security policies, training and awareness programs, technology maintenance, and regular systems and response testing is required. "Set it and forget it" is not a real option.

Consequences of Non-Compliance
Believe it or not, compliance saves money! According to a recent study from Ponemon and Globalscape, "The True Cost of Compliance with Data Protection Regulations," the cost of non-compliance to businesses now runs an average of $14.8 million annually, a 45% increase since 2011. The cost of compliance, on the other hand, was found to average $5.5 million, up 43% from 2011. It's clear that non-compliance puts your organization at greater risk of a data breach, and a data breach is certain to come with a steep financial cost as evidenced by the rash of well publicized data breaches since 2017 alone. Here are six ways a non-compliant organization might suffer in the event of a data breach:

Lawsuits
A data breach doesn't only affect the breached organization but may also put at risk the associated employees, consumers, customers, partners, and service providers — any of which may decide to take legal action seeking justice and protection. Win or lose, a lawsuit can be an expensive proposition.

Bank Fines
If credit card data is affected, banks may end up reissuing new cards to their customers. When that happens and the banks incur associated costs, they will likely seek to recoup those costs from the organization whose breach prompted the action by levying fines or added fees.

Governmental Audits
Any egregious breach of consumer data risks action by the Federal Trade Commission (FTC) acting on behalf of US consumers. If the organization was found to be out of compliance and negligent, the FTC may not only fine the company but also require expensive annual compliance audits for years following the negligent behavior. In April of this year, the Securities and Exchange slapped Yahoo with a $35 million fine for waiting two years to disclose its massive 2014 data breach in which Russian hackers stole personal information on approximately 1 billion user accounts.

Compensation and Remediation Costs
Among the many costs involved with a security failure are those associated with forensic investigations to determine the source and cause of the breach, fix the gaps that were exploited, and address any residual risk to consumers and others. Someone has to pay for free credit monitoring services, after all.

When Nothing Is Safe
A data breach may cause consumers to lose trust in the affected organization. When that happens there's a good chance that they will take their business elsewhere. Consider the number of retail security breaches in 2017, online or in stores, including Sears, Kmart (twice), Delta, Best Buy, Saks Fifth Avenue and Lord and Taylor (parent company Hudson's Bay), Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop, and Arby's. What's more, who can forget when cybercriminals hacked Equifax and stole the personal data of 145 million people, including Social Security numbers, not to mention Shadow Brokers, WannaCry, NotPetya, Bad Rabbit, and more.

Lost Reputation
When word of a data breach gets out, loss of reputation soon follows. To mend fences with all affected parties, organizations will incur costs associated with increased marketing, communications, and public relations campaigns. As the saying goes, a good reputation takes years to gain — but a moment to lose.

Data Management Matters
Given the risk of failure, it's important to implement a strong data management program as a part of an organization's security and compliance strategy. If you don't know what data you have, where it's stored, who has access, and how it is used, it's impossible to keep it secure — and to prove compliance. Data management provides a framework for understanding how information moves through the enterprise. It helps with security and compliance in three primary ways:

1. Workflow and Process Automation
Human error continues to be one of the weakest links in the security chain. Workflow and process automation remove the human factor from many tasks that might otherwise be vulnerable. Automating processes associated with vital applications and services, and doing so while the organization's security and compliance functions operate in the background, lets users focus on their jobs while giving management greater peace of mind.

2. Centralized Control and Visibility
Not knowing what's happening in your network is unsettling — and can mean the enterprise is at risk of a breach. As networks grow more complex and as perimeters expand to include mobile devices, the cloud, and more, IT administrators need even greater levels of transparency into the network in order to gain a top-down view of the infrastructure that's required to achieve compliance and mitigate other security and performance risks.

3. Custom Compliance Profiles and Reporting
Every organization has its own set of regulatory expectations and challenges based on industry, size, risk appetite, and a thousand other factors. One-size-fits-all doesn't apply; specialized compliance tools offering customized data workflows and configurations ensure that, whether facing PCI DSS, HIPAA, SOX, or some combination of these and other regulations, a tailored profile and reporting structure is needed.

Related Content:

Peter Merkulov serves as chief technology officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering and quality assurance teams. Merkulov has more than 16 years of experience in the IT ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8913
PUBLISHED: 2020-08-12
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a dir...
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183