Compliance means different things to different people. Indeed, regulatory compliance requirements are — and should be — handled differently based on the unique needs of the business. The ugly reality is that there are so many assumptions being made about compliance that it often skews the perception of what’s really going on.
Here are what I believe to be the most dangerous assumptions we make about regulatory compliance requirements and how they can get us — and our businesses — into hot water:
1. We’re compliant, so our information is safe. The most common assumption is that compliance equals security. It doesn’t. Never has and never will. Your business may be “compliant” at the moment, but odds are you’ve still got tons of low-hanging fruit that needs to be fixed. It’s time to dig deeper.
2. Our lawyer is in charge, so all is well. Lawyers should have the final say-so, but they shouldn’t be calling all the shots. Compliance is much more complex than audit reports and contracts. There’s information risk assessments, vulnerability management, incident response, access controls, etc. All the right people across the board need to be involved throughout the compliance process.
3. It’s not worth the money to become — and stay — compliant. According to the Ponemon Institute, the cost of noncompliance is 2.65 times the cost of adhering to regulatory compliance requirements. Do what needs to be done, and you’ll save a tremendous amount of money and effort. As time goes on, you’re going to be forced into compliance eventually. Why not get started now?
4. We encrypt our PII — that’s the ultimate security control. Even though data is encrypted, there are numerous ways to exploit known flaws, especially if the encryption wasn’t properly implemented or isn’t being managed the way it needs to be. You need encryption — but don’t assume it’s working as intended.
5. Our tools are telling us that we’re compliant; enough said. Good network and security tools are essential for visibility and control, but you can never rely on them completely. Be it identity management, network monitoring, vulnerability management — you name it — canned reports from such tools most often do not reflect reality. You have to look closer and validate for yourself.
6. We’ve done everything required by the regulations, that’s all we need to do. Focusing on what’s required doesn’t mean you’ve covered all your bases. The minimum regulatory compliance requirements are often a baseline of suggestions, but it may not be what your business really needs. Furthermore, I can’t tell you how many times I’ve seen businesses “become” compliant without ever performing a single information risk assessment. You can’t possibly put the right security controls in place if you don’t even know what needs attention.
7. We had a breach and subsequent compliance sanctions, so we learned our lessons and are much more secure now. Humans often assume what other people are thinking and that others are taking care of what’s needed. A prime time for this to happen is after a breach occurs and we get back into our day-to-day work, then become complacent. Assuming that everything has been uncovered and fixed is a prime opportunity for people to let their guard down and for something else to go awry. Experiencing a data breach means you’ve got to up your game, big time — and stay on top of things without ever letting your guard down.
You cannot change what you tolerate. Fix your oversights and gaps surrounding regulatory compliance requirements now, before they bite when you’re least expecting it.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.