[BreachExchange] Compliance Complexity: The (Avoidable) Risks of Not Playing by the Rules

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 11 14:07:13 EDT 2018


Achieving compliance is a challenging process, but with the right systems
and customized data management policy, your organization can stay ahead of
the next data breach -- and the regulators.

Data protection and privacy regulations affect organizations of every
stripe. Whatever your business, if you have customers or employees, you
have data that requires protection under some state or federal mandate.
Such regulations are intended to ensure that proper precautions have been
taken to protect potential victims of digital crimes such as fraud or
identity theft stemming from malicious actors gaining access to data
through hacking, technical malfunction, or human error.

Alphabet Soup of Laws and Standards
It's important to note before any discussion of regulatory compliance
begins that following the rules doesn't guarantee your systems and data
will remain secure. As the saying goes, "compliance is a floor, not a
ceiling," and so meeting the minimum standards under the law should be
regarded as a starting point. Where you take your information security
program from there depends on your industry, the kinds of data your
organization deals with, and its appetite for risk.

Data security and privacy regulations make up an expanding landscape made
up of a long, overlapping, and often confusing alphabet soup of laws and
standards like HIPAA, SOX, FCRA, GLBA, PCI DSS, GDPR, PIPEDA, and others.
Security and risk management decision makers must understand the nature of
these laws and set security strategies accordingly or suffer the
consequences of falling short of their demands. It's not an easy task, but
it is a manageable one when broken into its parts.

The first step of that process involves recognizing the ways (apart from
blatantly ignoring the regulations) an organization might inadvertently
fall outside the bounds of compliance.

Common Conditions That Can Compromise Compliance
The three most common conditions that can compromise a compliance program
are the use and proliferation of so-called shadow IT (technologies that
operate within the enterprise outside the purview of IT management); a
failure to document compliance processes or enforce existing processes; and
a lack of visibility into the means of collecting, managing, and storing

Certainly, there will likely be gaps in even the most rigorous of
compliance programs, especially since compliance is a dynamic,
ever-evolving endeavor. Laws change, technology changes, and the threat
environment changes, so processes must change in response. Data management
that includes security policies, training and awareness programs,
technology maintenance, and regular systems and response testing is
required. "Set it and forget it" is not a real option.

Consequences of Non-Compliance
Believe it or not, compliance saves money! According to a recent study from
Ponemon and Globalscape, "The True Cost of Compliance with Data Protection
Regulations," the cost of non-compliance to businesses now runs an average
of $14.8 million annually, a 45% increase since 2011. The cost of
compliance, on the other hand, was found to average $5.5 million, up 43%
from 2011. It's clear that non-compliance puts your organization at greater
risk of a data breach, and a data breach is certain to come with a steep
financial cost as evidenced by the rash of well publicized data breaches
since 2017 alone. Here are six ways a non-compliant organization might
suffer in the event of a data breach:

A data breach doesn't only affect the breached organization but may also
put at risk the associated employees, consumers, customers, partners, and
service providers — any of which may decide to take legal action seeking
justice and protection. Win or lose, a lawsuit can be an expensive

Bank Fines
If credit card data is affected, banks may end up reissuing new cards to
their customers. When that happens and the banks incur associated costs,
they will likely seek to recoup those costs from the organization whose
breach prompted the action by levying fines or added fees.

Governmental Audits
Any egregious breach of consumer data risks action by the Federal Trade
Commission (FTC) acting on behalf of US consumers. If the organization was
found to be out of compliance and negligent, the FTC may not only fine the
company but also require expensive annual compliance audits for years
following the negligent behavior. In April of this year, the Securities and
Exchange slapped Yahoo with a $35 million fine for waiting two years to
disclose its massive 2014 data breach in which Russian hackers stole
personal information on approximately 1 billion user accounts.

Compensation and Remediation Costs
Among the many costs involved with a security failure are those associated
with forensic investigations to determine the source and cause of the
breach, fix the gaps that were exploited, and address any residual risk to
consumers and others. Someone has to pay for free credit monitoring
services, after all.

When Nothing Is Safe
A data breach may cause consumers to lose trust in the affected
organization. When that happens there's a good chance that they will take
their business elsewhere. Consider the number of retail security breaches
in 2017, online or in stores, including Sears, Kmart (twice), Delta, Best
Buy, Saks Fifth Avenue and Lord and Taylor (parent company Hudson's Bay),
Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop, and
Arby's. What's more, who can forget when cybercriminals hacked Equifax and
stole the personal data of 145 million people, including Social Security
numbers, not to mention Shadow Brokers, WannaCry, NotPetya, Bad Rabbit, and

Lost Reputation
When word of a data breach gets out, loss of reputation soon follows. To
mend fences with all affected parties, organizations will incur costs
associated with increased marketing, communications, and public relations
campaigns. As the saying goes, a good reputation takes years to gain — but
a moment to lose.

Data Management Matters
Given the risk of failure, it's important to implement a strong data
management program as a part of an organization's security and compliance
strategy. If you don't know what data you have, where it's stored, who has
access, and how it is used, it's impossible to keep it secure — and to
prove compliance. Data management provides a framework for understanding
how information moves through the enterprise. It helps with security and
compliance in three primary ways:

1. Workflow and Process Automation
Human error continues to be one of the weakest links in the security chain.
Workflow and process automation remove the human factor from many tasks
that might otherwise be vulnerable. Automating processes associated with
vital applications and services, and doing so while the organization's
security and compliance functions operate in the background, lets users
focus on their jobs while giving management greater peace of mind.

2. Centralized Control and Visibility
Not knowing what's happening in your network is unsettling — and can mean
the enterprise is at risk of a breach. As networks grow more complex and as
perimeters expand to include mobile devices, the cloud, and more, IT
administrators need even greater levels of transparency into the network in
order to gain a top-down view of the infrastructure that's required to
achieve compliance and mitigate other security and performance risks.

3. Custom Compliance Profiles and Reporting
Every organization has its own set of regulatory expectations and
challenges based on industry, size, risk appetite, and a thousand other
factors. One-size-fits-all doesn't apply; specialized compliance tools
offering customized data workflows and configurations ensure that, whether
facing PCI DSS, HIPAA, SOX, or some combination of these and other
regulations, a tailored profile and reporting structure is needed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180511/284cb9ed/attachment.html>

More information about the BreachExchange mailing list