Cloud

5/9/2018
10:30 AM
Peter Merkulov
Peter Merkulov
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Compliance Complexity: The (Avoidable) Risks of Not Playing by the Rules

Achieving compliance is a challenging process, but with the right systems and customized data management policy, your organization can stay ahead of the next data breach -- and the regulators.

Data protection and privacy regulations affect organizations of every stripe. Whatever your business, if you have customers or employees, you have data that requires protection under some state or federal mandate. Such regulations are intended to ensure that proper precautions have been taken to protect potential victims of digital crimes such as fraud or identity theft stemming from malicious actors gaining access to data through hacking, technical malfunction, or human error.

Alphabet Soup of Laws and Standards
It's important to note before any discussion of regulatory compliance begins that following the rules doesn't guarantee your systems and data will remain secure. As the saying goes, "compliance is a floor, not a ceiling," and so meeting the minimum standards under the law should be regarded as a starting point. Where you take your information security program from there depends on your industry, the kinds of data your organization deals with, and its appetite for risk.

Data security and privacy regulations make up an expanding landscape made up of a long, overlapping, and often confusing alphabet soup of laws and standards like HIPAA, SOX, FCRA, GLBA, PCI DSS, GDPR, PIPEDA, and others. Security and risk management decision makers must understand the nature of these laws and set security strategies accordingly or suffer the consequences of falling short of their demands. It's not an easy task, but it is a manageable one when broken into its parts.

The first step of that process involves recognizing the ways (apart from blatantly ignoring the regulations) an organization might inadvertently fall outside the bounds of compliance.

Common Conditions That Can Compromise Compliance
The three most common conditions that can compromise a compliance program are the use and proliferation of so-called shadow IT (technologies that operate within the enterprise outside the purview of IT management); a failure to document compliance processes or enforce existing processes; and a lack of visibility into the means of collecting, managing, and storing data.

Certainly, there will likely be gaps in even the most rigorous of compliance programs, especially since compliance is a dynamic, ever-evolving endeavor. Laws change, technology changes, and the threat environment changes, so processes must change in response. Data management that includes security policies, training and awareness programs, technology maintenance, and regular systems and response testing is required. "Set it and forget it" is not a real option.

Consequences of Non-Compliance
Believe it or not, compliance saves money! According to a recent study from Ponemon and Globalscape, "The True Cost of Compliance with Data Protection Regulations," the cost of non-compliance to businesses now runs an average of $14.8 million annually, a 45% increase since 2011. The cost of compliance, on the other hand, was found to average $5.5 million, up 43% from 2011. It's clear that non-compliance puts your organization at greater risk of a data breach, and a data breach is certain to come with a steep financial cost as evidenced by the rash of well publicized data breaches since 2017 alone. Here are six ways a non-compliant organization might suffer in the event of a data breach:

Lawsuits
A data breach doesn't only affect the breached organization but may also put at risk the associated employees, consumers, customers, partners, and service providers — any of which may decide to take legal action seeking justice and protection. Win or lose, a lawsuit can be an expensive proposition.

Bank Fines
If credit card data is affected, banks may end up reissuing new cards to their customers. When that happens and the banks incur associated costs, they will likely seek to recoup those costs from the organization whose breach prompted the action by levying fines or added fees.

Governmental Audits
Any egregious breach of consumer data risks action by the Federal Trade Commission (FTC) acting on behalf of US consumers. If the organization was found to be out of compliance and negligent, the FTC may not only fine the company but also require expensive annual compliance audits for years following the negligent behavior. In April of this year, the Securities and Exchange slapped Yahoo with a $35 million fine for waiting two years to disclose its massive 2014 data breach in which Russian hackers stole personal information on approximately 1 billion user accounts.

Compensation and Remediation Costs
Among the many costs involved with a security failure are those associated with forensic investigations to determine the source and cause of the breach, fix the gaps that were exploited, and address any residual risk to consumers and others. Someone has to pay for free credit monitoring services, after all.

When Nothing Is Safe
A data breach may cause consumers to lose trust in the affected organization. When that happens there's a good chance that they will take their business elsewhere. Consider the number of retail security breaches in 2017, online or in stores, including Sears, Kmart (twice), Delta, Best Buy, Saks Fifth Avenue and Lord and Taylor (parent company Hudson's Bay), Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop, and Arby's. What's more, who can forget when cybercriminals hacked Equifax and stole the personal data of 145 million people, including Social Security numbers, not to mention Shadow Brokers, WannaCry, NotPetya, Bad Rabbit, and more.

Lost Reputation
When word of a data breach gets out, loss of reputation soon follows. To mend fences with all affected parties, organizations will incur costs associated with increased marketing, communications, and public relations campaigns. As the saying goes, a good reputation takes years to gain — but a moment to lose.

Data Management Matters
Given the risk of failure, it's important to implement a strong data management program as a part of an organization's security and compliance strategy. If you don't know what data you have, where it's stored, who has access, and how it is used, it's impossible to keep it secure — and to prove compliance. Data management provides a framework for understanding how information moves through the enterprise. It helps with security and compliance in three primary ways:

1. Workflow and Process Automation
Human error continues to be one of the weakest links in the security chain. Workflow and process automation remove the human factor from many tasks that might otherwise be vulnerable. Automating processes associated with vital applications and services, and doing so while the organization's security and compliance functions operate in the background, lets users focus on their jobs while giving management greater peace of mind.

2. Centralized Control and Visibility
Not knowing what's happening in your network is unsettling — and can mean the enterprise is at risk of a breach. As networks grow more complex and as perimeters expand to include mobile devices, the cloud, and more, IT administrators need even greater levels of transparency into the network in order to gain a top-down view of the infrastructure that's required to achieve compliance and mitigate other security and performance risks.

3. Custom Compliance Profiles and Reporting
Every organization has its own set of regulatory expectations and challenges based on industry, size, risk appetite, and a thousand other factors. One-size-fits-all doesn't apply; specialized compliance tools offering customized data workflows and configurations ensure that, whether facing PCI DSS, HIPAA, SOX, or some combination of these and other regulations, a tailored profile and reporting structure is needed.

Related Content:

Peter Merkulov serves as chief technology officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering and quality assurance teams. Merkulov has more than 16 years of experience in the IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.