With Data Security, Compliance Is The Beginning, Not The End
Ask PKWARE customers about the biggest challenge they face, and many respond with one word: compliance.
Every industry has separate mandates to worry about, such as HIPAA for healthcare, and PCI DSS for financial services. The common denominator in just about every compliance mandate is the need for Data Loss Prevention.
Overall, compliance requirements have been good for security. If it weren’t for these regulations and industry standards, many enterprises wouldn’t be doing nearly enough to safeguard sensitive data.
But there are risks in how enterprises handle compliance. A checkbox mentality often ensues, where companies put their primary focus on checking off the boxes on a list during a compliance audit.
They may indeed pass the audit, but that doesn’t mean the technology is correctly configured, the necessary follow-up is happening, or that employees are adhering to and complying with new policies and regulations .
For me, one of the best examples is from nearly a decade ago, when the Hannaford Bros. supermarket chain suffered a devastating data breach.
I was a reporter back then, and had interviewed the then-CISO a few weeks before the breach went public. The interview was about how Hannaford’s achieved PCI DSS compliance. He outlined specific technologies deployed, specific rules adopted, and so on.
But that didn’t stop the breach from happening. And for Hannaford’s, it was costly.
Since then, the company has taken steps to fix the holes that allowed the breach to occur. As a Hannaford’s shopper, I’ve seen some of those changes up close, specifically with the deployment of more robust card-swiping devices.
The bottom line? Spending money on security is important. Checking everything off the auditor’s list is also important. But it’s not enough to just deploy technology and walk away.
Enterprises must continuously review how well employees are heeding policies. IT shops need constant training and review to ensure they are deploying technology properly and using it as intended.
Most importantly, enterprises must think of compliance as a means to an end, not the end in itself. Look at it as one piece of leverage to build the security program the company needs and deserves, the starting point of a much larger, much more rigorous data protection plan.