Physical security controls, operating systems, mobile devices, you name it — it is amazing how the more things change in IT, the more they stay the same. When it comes to keeping critical systems protected and sensitive information under wraps, IT compliance is no exception.
What I mean by IT compliance is falling in line with government and industry regulations affecting the security and privacy of sensitive information in your business. There is plenty of regulation to go around, be it HIPAA or the HITECH Act for the healthcare industry, the Gramm-Leach-Bliley Act (GLBA) for the financial industry, or PCI DSS for credit card transactions. In fact, it can be argued that the massive regulations themselves are one of the greatest threats to business and free enterprise. At least that’s how I see it.
But it is what it is — and we mostly have ourselves to blame.
Around a decade ago, after the web became popular, we started hearing about businesses experiencing data breaches. The problem became so widespread that organizations such as the Privacy Rights Clearinghouse started tracking what was happening. As we can see on the Chronology of Data Breaches (www.privacyrights.org/data-breach) the story got ugly. Businesses didn’t self-regulate and do what was needed to keep things secure so, in typical fashion, the government and industry bodies stepped in and tried to do it for them.
Welcome to the new world of compliance that everyone loves to hate.
More than two years ago, I co-authored an article entitled “The Dangers of Over-Reliance on Compliance,” where we wrote about how businesses are not focusing on what is important and how they are doing the bare minimum to get by — and that was with most of the government and industry regulation we have today.
Now, here we are, nearly three years later, and not much has changed. Many business owners are still going down their compliance checklists, marking things off and claiming to have a handle on their business risks, but they really don’t have a handle on their IT security, based on the amount of data breaches that still occur.
Ironically, many of the data breaches are happening to businesses that claim to be “compliant” because they passed this or that audit, developed a certain level of security documentation or have fancy technical controls like firewalls, data loss prevention and encryption. But those things mean very little in the grand scheme of things.
My point is you have to look beyond the compliance checklists and approach IT from a risk management perspective. Here’s how:
1. Determine what sensitive information you have;
2. Find out how that information is at risk;
3. Implement the proper controls; and
4. Re-evaluate periodically and consistently moving forward.