There is a common myth that regulation and compliance, such as PCI and Basil II, benefits data security. In other words, thanks to these mandates data is more secure …where it otherwise would not be. In reality, it quite possibly could make some organizations much less secure.
How could a regulation that defines how data should be more secure, and companies that comply with this regulation, be less secure? The theory predicts that regulation is actually lowering the bar for security rather than raising it. Since the regulation only focuses on the minimum amount of security required to enforce the regulation across all companies, it in fact, promotes the lowest common denominator.
Organizations in compliance often believe that they are also secure. Not true, it only means that they are following the regulation. Compliance and security are not synonyms.
Compliance with any standard does not equate to an assessment whereby a company’s security is automatically appropriate. Standards do not necessarily commensurate with the size and complexity of the business environment or the type, and amount of data involved. It is highly recommended that security measures go well beyond the well intended parameters of required mandates.
Real Reasons Why
There are numerous examples of organizations that were in compliance of a regulation but still suffered a security breach.
The most notable example, Heartland Payment Systems--found to be in PCI compliance yet lost millions of credit card data records because they were not secure. Deemed the largest credit card crime of all time, hackers had broken into the computers used to process about 100 million transactions each month for 175,000 merchants. Card issuers flagged suspicious transactions which revealed a masterminded scheme underway to steal more than 130 million credit and debit card numbers as well as personally identifying information (PII). Heartland has paid out millions to settle claims over the breach.
If organizations fear the auditor more than they fear the bad guys, then they are NOT secure. Worse yet, the bad guys know the regulations, and the vulnerable areas not covered by regulation and that’s where you might lack necessary attention.
Failure to protect information can also allow unsophisticated, yet successful access to sensitive information. Newswire reports state that a history student-turned-hacker penetrated the company responsible for publishing the Netherlands government’s budget, accessed the secret unreleased 2012 budget and tweeted out the details on Twitter.
In other news following the wake of last year’s security breaches at the government-sanctioned DigiNotar certificate authority, Dutch Security Minister Ivo Opstelten recently opened a national cyber security center. The Hague center joins expertise from various governmental organizations and agencies to offer expertise, advice, aid in response to cyber threats or incidents, and support to strengthen crisis management.