Compliance not always the best security strategy
By Enterprise Innovation Editors | 2010-02-08
Compliance with certain legislation and regulations doesn’t necessarily result to a secure IT system, as have been proven by recent cases over the years.
So says Datacraft’s general manager for security solutions, Matthew Gyde. “The scale of electronic crime in the area of wireless networks and the Internet is expanding geometrically. An American retailer lost 45 million credit card details as a result of electronic crime. The hacker was charged with two further hacking offences bringing to over 130 million, the total number of card details stolen. One of the victims – a payment card processing company – passed a PCI-DSS audit the month before card details were stolen from its systems.”
Today, e-crime is big business, and incidents like these underscore the findings in research we commissioned IDC to carry out in 2009 which shows a prevalent attitude among organisations. Most begrudge investment in compliance and will do the absolute minimum required by law or industry regulatory bodies. They also believe that being compliant is being secure.
“In fact, compliance is very narrowly focused, whereas good security encompasses compliance – and extends beyond it, ensuring that organisations are best placed to deal with both known and unknown threats,” Gyde explains.
The primary research into IT security carried out by IDC covered 407 companies in 18 countries in Asia Pacific, Western Europe, the Americas, and the Middle East and Africa – reveals that very large organisations (1,000+ employees) are more compliant than large organisations (500 -1,000 employees).
Eric Domage, IDC EMEA program manager, European security products and strategies, says, “Interestingly, very large organisations (1,000+), the Americas, and the public sector are more concerned about security regulations than other sizes of organisations, regions, or market sectors.”
The research also shows that the regulations which most concern organisations are those related to general privacy (often local in origin), followed by healthcare privacy laws – because of specific requirements for personal confidentiality, and Personally Identifiable Information (PII) protection.
Gyde concurs, “This leaves an enormous range and number of organisations that simply aren’t doing enough to be compliant or secure. What they don’t realise is that being compliant is not simply a matter of preventing theft of organisational and customer data. Indeed, it has a direct impact on an organisation’s reputation.”
The nature of the information that’s compromised during a security breach dictates the nature and the level of impact on the business. However, according to the IDC research, organisations that do aim for optimised compliance are most concerned about the negative impact that a security breach will have on their brand. That’s because an organisation’s brand drives its revenues.
As Gyde says, “If customers can’t trust you with their personal information, they’re certainly not going to remain your customers. Also, identity theft has very serious implications for those whose identity is stolen. They can lose control of their entire lives. In fact, organisations stand between their customers and criminals.”
According to Gyde, at a commercial level, compliance is about proving and maintaining credibility in the marketplace. “Don’t begrudge what you spend on being compliant. You’re protecting your customers and your brand. It’s important to understand that organisations don’t need to comply with every requirement out there, but must understand the requirements in specific geography and industry sectors.”
Gyde warns organisations to not tackle compliance on their own. “Involve experts on overall business governance and compliance in your IT security compliance projects. They’ll help you ensure that your initiatives don’t take the place of a pro-active security strategy – which means you stay focussed on the strategic rather than the urgent.”