New and evolving cyber threats continuously yield more attacks against organizations of all shapes and sizes. The end result proceeds to be new regulatory compliance standards or added requirements to current information-security standards. All of this puts businesses within certain industries or ones managing particular types of data into positions of putting compliance before anything else just to be able to operate.
Obviously, following compliance standards are important; they create a baseline for a secure program, allow certain organizations to procure cyber insurance, and can be the “on-off switch” that either lets a company stay open or force them to shutdown operations. The issue is, more so, that compliance does not necessarily mean secure — and many organizations only prioritize checking off a few boxes while not actually practicing proper security hygiene.
What Does it Mean to meet compliance Standards?
To dive into this conceptual divide further, it’s important to first understand what it means to be in compliance. Compliance refers to following a standard set forth by legislation, a regulatory agency, or even another organization that must be followed for a firm to operate. Below are some of the most commonly known compliance standards and where they came from:
- Health Insurance Portability and Accountability Act (HIPAA): Enacted into law by the United States Congress and stipulates how personal identifiable information (PII) should be protected by healthcare and health insurance businesses.
- Payment Card Industry Data Security Standard (PCI DSS): Set forth by the Payment Card Industry Security Standards Council for how organizations need to protect credit card information of the major brands.
- General Data Protection Regulation (GDPR): Regulation set by the European Union (EU) that sets standards for how personal data can be processed and secured.
- Sarbanes-Oxley Act (SOX): Law passed by the United States Congress. Focuses more on financial disclosure by large corporations. However, there’s also elements of how publicly traded companies need to have proper IT security hygiene to protect company financial information and have systems in place for efficient disclosures if a breach occurs.
These standards, as well as many others, tend to follow some similar requirements and are commonly used for reference when constructing new regulatory security policies. For instance, most of them stipulate the scope and timeline to which you must disclose that you had a breach to those whose data has been compromised.
It’s also very common for standards to specify preventative controls like multi-factor authentication (MFA) or an access management control system. Many even contain requirements for purchasing cyber & data breach insurance, conducting regular system penetration testing, and documenting their cybersecurity program.
Complaint vs. Secure
The main difference between being compliant and being secure is the type of blueprint that is followed. For compliance, you usually are following a set of standards declared by the compliance requirements. To be secure, you will most likely follow a “framework” which dictates the controls and processes you can use for a robust security program.
The National Institute of Standards and Technology (NIST), for instance, has their very own model for security posture known as the NIST Security Framework. It can be used to help organizations evaluate, develop, and enhance their cybersecurity program. There’s also a relatively new concept called the Zero Trust Framework (or Zero Trust Architecture) that takes into account the large shift into more cloud-based infrastructure.
Whose Data is Prioritized?
If you think about the reason a compliance standard is set, it’s usually designed to protect the privacy and data of customers or end-users. Oftentimes, there will also be compliance requirements in order to be awarded a service contract. In these cases, the prime contractor or client is setting standards to protect their own data from negligence by an independent contractor or service-provider.
When you are talking about being “secure,” you are generally referring to protecting your own technology assets, systems, and data in addition to your customers’ information. In most circumstances, having solutions in place to protect an organization’s assets also will secure their customer data by default.
Most of the time, both compliance and security will require an audit of some kind. A cybersecurity consultant, IT management firm, or managed-security service provider will be able to evaluate if your organization is secure in their eyes or in relation to a specific framework.
Depending on the law or standards, some of these same businesses could assist in compliance reviews as well. For many regulatory standards, however, an organization will have to use a third-party auditor that has the credentials to be able to sign off that they meet compliance standards.
How the Current Compliance Standards System Creates Issues
The current way our compliant procedures are set appears, at times, to create more problems than it solves. The issue on compliance management is two-fold; auditors aren’t always thorough enough in their evaluation and an organization will only do the bare minimum to meet the standards.
For example, let’s say that a contract or regulatory requirement states that there must be a specific endpoint-security solution in place. An auditor may see that an endpoint-security protection software was purchased for 500 endpoints and check off the box that they are good to go. In reality, however, those solutions were never actually installed and/or employees were never trained on how to use it — making the standard useless.
Additionally, there are plenty of scenarios where the standards aren’t even being truly enforced and businesses are remaining open anyway. This is shown from an alarming stat from a few years ago where a Verizon report found that only 29% of companies with PCI requirements were fully compliant.
On the other end, despite us knowing that compliance does not equal security, organizations still think the bare minimum is okay. For instance, 68% of business leaders know that cyber risks are increasing yet feel that getting certified once is enough for their security management. Many of these standards don’t have the critical preventive controls, threat detection, or incident-response requirements needed for a full-proof program — and those were just to name a few of the gaps.
The Future of Zero Trust Security and Compliance Standards
As Zero Trust Security is proving itself as one of the best frameworks to construct your cybersecurity around, more and more businesses are expected to adopt it. Estimates now show as high as 60% of businesses will move to Zero Trust by 2023 and 42% are already in the early stages of implementation.
We’ve even begun seeing compliance requirements incorporate Zero Trust into their standards. A recent executive order by the Biden administration states that federal government institutions must utilize Zero Trust in their programs. The NIST framework, which acts as a stepping stone for many compliance standards, is also actively promoting this type of architecture for businesses to embrace.
The “continuous access management control and monitoring” element of Zero Trust is highly replicated in compliance requirements. There’s also the idea of following the “principle of least privilege” which is explicitly declared in HIPAA standards.
Example of Security Being Overlooked
As the disconnect between compliance and security is clear, let’s present an example to show the negative consequences of this mindset:
Let’s say a mid-sized financial institution that collects credit card information was getting an audit done for PCI compliance. Their executive risk manager decided to be lazy and cheap by lying to the auditor that their employees had completed the security awareness training requirement for PCI. This person even showed a fake purchase order to the auditor as their proof.
Unfortunately, because employees had zero training on cyber threats like social engineering, many fell victim to phishing scams that persuaded them to send customer credit card data files to a scammer who had been pretending to be someone else. The criminal went on to make some expensive purchases and the incident resulted in dozens of data liability lawsuits against the firm.
This exact scenario shows the two-fold issue of auditors not doing their due diligence and organizations choosing to only “check off a few boxes.” In this circumstance, however, matters were made worse because the organization wasn’t actually in compliance or fully secure.
Become Compliant AND Secure with AGT
Ascension Global Technology is ready to help you both fulfill security-compliance requirements and develop a cybersecurity program that is comprehensive and suitable for the modern IT infrastructure. Schedule a consultation today to speak with one of the AGT experts and get started.