Intro – Compliance Requirements and Security
While industries have focused on pushing information security standards, the ever-changing threat landscape has resulted in an upsurge of breaches year-after-year. By this week alone, there have been more than 23.9% more breaches than by this time last year – exposing more than 12 million personal records. Even though compliance has remained a necessity in industries handling sensitive user information, these stats provide evidence that compliance does not necessarily mean your business is secure. Retailers, Target, and Home Depot faced this reality during their breaches, claiming afterward that they have been PCI-DSS compliant for years.
While compliance is a good first step, regulatory compliance is a distinctive step from data security. This blog covers what compliance means regarding your company’s security and what your options are for properly securing your business.
What does it mean to be compliant?
Before jumping into what compliance means in terms of security, it is important to determine if your business even needs to worry about compliance and what it means to be compliant.
PCI, for example – if you outsource your credit/debit card processing to a payment card processor, like Square or PayPal, then you need not worry about PCI-DSS compliance. However, most businesses which store sensitive user data – such as credit card data, or electronic patient health info (ePHI) – are subject to some regulatory compliance.
To be compliant there are multiple hoops to jump through – security compliance is both complicated and costly. Not only do compliance specialists, such as a PCI QSA, create a significant amount of overhead, but failing an audit and being found out of compliance could skyrocket these costs. This is not at all mentioning the fact that even if you meet compliance standards and get hacked that your business will still be paying for compliance fines. These exact reasons are why we are determined to change the mentality on compliance vs security.
Furthermore, meeting regulatory compliance is not only crucial to avoiding fines for improper security protocols, but also in terms of setting the stage for further security implementation. Compliance is by no means a definitive security strategy but is a good start towards a larger security program.
Why doesn’t compliance mean security?
The troubling misconception is when businesses often buy-in to the idea that compliance standards are a one size fits all solution to the security needs of any business. While compliance is a good step in the right direction, each business has specific security needs that go much further than the compliance standards enforced in your environment. The security risks companies encounter are always changing, and much like laws, compliance requirements are often developed in hindsight. With this in mind, businesses are meeting compliance based on the past threat landscape and thus not securing their environments for future threats.
In a 2015 compliance report, every business investigated for a breach in the last ten years was deficient in their PCI compliance. Additionally, compliance requirements do not equate to security best practices. Prescriptive compliance requirements are typically the bare necessities of information security. To truly be ahead of the security curve your business must be determined to keep up with the changes in IT security and focused on best practices.
Compliance vs. Security to a Hacker
The breach stats don’t lie. More companies are being faced with the challenge of thwarting cyber-attacks and leaks of sensitive user data. Each industry is a target; and even if you don’t store credit card data or healthcare records, attacks are often automated, and companies always have cash. Hackers do not poach companies based on their compliance needs, but rather on the basis of there being an opportunity to exploit the security of the business.
Many of the essential security controls companies use to meet compliance such as anti-virus (AV), firewalls, and intrusion detection systems are small bumps in the road for experienced attackers. Modern day attacks can be automated to circumvent the signature-based techniques these technologies use to monitor your network. In a similar vein, in many of the assessments, Rhino completes basic security controls are regularly bypassed to get on to the client’s network.
Read more on why anti-virus is dead…
The bottom line is hackers are financially motivated. With a good amount of reconnaissance and a strong will, an attacker will find a way into your network. However, all hope is not lost; businesses do have options towards bolstering their security strategies based on their needs.
What are your next steps?
First off, it is important not to think of compliance and security as a simple checklist that you can mark off and forget. Security best practices must be exercised and regularly updated to keep up with the growing amount of threats. While this puts stress on organizations to form mature compliance and security programs, more money can be saved avoiding a breach than succumbing to basic compliance requirements and paying a list of fines when a breach occurs. The following are appropriate strategies for developing a mature security program:
- Move beyond the basic protections of security – AV, firewalls, and other essential controls are yesterday’s technologies defending against yesterday’s attacks. Develop a layered defense strategy that gives you to full visibility into your network.
- Detection is the new prevention – It is impossible to protect against every single threat, especially those that are newly developed. Prevention is not a security strategy, but rather a hope for the best. Concentrating on detection and the ability to respond to threats will keep small issues from becoming big ones.
- Develop threat intelligence and build upon best practices – It is not enough to only defend against known threats; take your security program steps further to understand and correlate new threats and vulnerabilities and how they apply to your environment. A proactive security approach is needed to defend against today’s cyber-attacks. Zero-day vulnerabilities are found each day – don’t fall victim because of reactive security practices.
- If you don’t know, ask for help! – The stress of a potential breach and compliance audits can hang heavy over organizations trying to focus on business-as-usual. If you are unsure of your security or compliance programs look at outsourcing to a trusted managed security service provider (MSSP). An MSSP, like Rhino Security Labs, can provide your business with the technology, personnel, and processes needed to meet compliance and stay ahead of the security curve.
Compliance can be a big hurdle to overcome, but as we have noted, end-to-end security is much more important when mitigating the risk of a potential breach or avoiding compliance fines. While there are measures you can take to securing your environment and developing best practices, outsourcing your security operations to an MSSP can provide your business with the expertise and proactive security needed to keep up with the changes to security and compliance.
Conclusion - Compliance and Mitigating Risk
Although it is a tough pill to swallow, it isn’t a matter of if your business is breached – but when. Attackers do not care if you are compliant with laws and regulations. Thus, compliance is not your definitive blueprint to security, and businesses must view security as a means towards compliance instead of the other way around.
If your business is hung up on compliance, it is more than likely you’re putting your security on hold. Don’t get caught up trying to manufacture a perfect compliance program while your security may be behind further than you think – contact us today.