Chances are you’ve heard a lot about compliance standards, especially if you are a CSO, CTO or CIO (and if you’re in-house counsel, chances are you have said compliance standards memorized). Lawmakers and regulators around the world are enhancing existing data security compliance requirements, implementing new legal frameworks and defining new data security regulations to respond to increasing internal and external hazards.
In a blog post published one year ago, I outlined the problems with the international use of personal data. In that piece, I noted “with more than 99 countries with data privacy laws on the books as of mid-2013 (and a further 21 countries with bills pending), there are wide global variations in requirements for protecting and storing personal data. Regulations range from very strict to more flexible, depending on the country.” This is a fascinating subject and if you’re interested in learning more, I highly suggest you check out the Vormetric/fieldfischer white paper on the legal obligations for encryption of personal data. But for purposes of this blog, my focus is centered on the efficacy of some of more well-known U.S. compliance standards. They include HIPAA, PCI DSS and Sarbanes-Oxley.
Organizations required to meet compliance standards are typically those handling vast quantities of personal and financial information. If financial, retail and healthcare companies immediately spring to mind you’re right on the money; both verticals tend to be top data breach targets and traffic in the type of data that is extremely desirable to cyber criminals and fraudsters. Healthcare data in particular has become highly desirable to bad actors, and much more valuable than credit card information. Currently, healthcare records are selling for tens to hundreds of dollars, while U.S. credit card records sell for 50 cents or less. The enormous detail available in patient records is the reason for this; they make it possible for criminals to not only apply for credit cards or loans, but to generate large sums from fraudulent medical charges, or even to compromise a patient’s existing financial accounts.
High-profile, successful breaches involving these types of companies include Anthem and Target. Perhaps unsurprisingly, the ramifications of both breaches have been swift, long and severe. They include lawsuits, investments in cyber education campaigns, executive layoffs and public lambastments.
The last we checked, the Department of Health and Human Services' Office for Civil Rights was investigating the Anthem and Premera breaches to determine if the company was in line with compliance laws. Target, however, was considered compliant at the time it was breached. As a reminder, the Target breach involved the accessing of 100 million debit and credit card accounts and personal information, a stock that tanked and quarterly numbers that fell very short of pre-breach expectations. So, what does this tell us about compliance standards?
Compliance: The Realities
Our assessment: Compliance is only somewhat helpful in addressing data security concerns. Cyberattacks change daily and hourly, but compliance regimes are updated only over many months and years. This leaves compliance mandates requiring organizations to use protection methods that may already have been eclipsed by the attackers. Compliance is a baseline standard. It is, as my colleague Sol Cates has said, “a good starting point.” It is not a foolproof strategy for protecting sensitive data.
One of my favorite analogies for compliance is as follows: Think of compliance as a bridge. It’s the bridge that allows your company to cross the water and enter into the castle. But, what’s protecting invaders from also crossing that bridge? That’s right, you need guards, and a moat, cannons, and maybe some dragons if you’re into that sort of thing. With determined attackers able to breach any organization’s perimeter, it’s time for organizations to realize that compliance isn’t enough.
Fighting Today’s Battles with Today’s Tools
The adversary is moving quickly and compliance standards are looking backward, always fighting what many consider the last war with tools and controls available in the rear view mirror. This is very unfortunate, to put it mildly. After all, data-at-rest is susceptible to many forces, not least of which are malicious and non-malicious insiders.
As we noted in our 2015 Insider Threat Report (ITR), the insider threat landscape is becoming more difficult to deal with as the range of miscreants’ moves beyond employees and privileged IT staff. It now includes outsiders who have stolen valid user credentials; business partners, suppliers, and contractors with inappropriate access rights; and third-party service providers with excessive admin privileges. Unless properly controlled, all of these groups have the opportunity to reach inside corporate networks and steal unprotected data. With this treacherous landscape in mind, organizations should be taking a data-centric approach. This includes:
- Encryption of sensitive data wherever it resides (e.g. file systems databases, web repositories, cloud environments, big data environments and virtualization implementations)
- Policy-based access controls to assure that only authorized accounts and processes can see the data
- Monitoring of authorized accounts accessing data, to ensure that these accounts have not been compromised
I highly recommend you check out my February blog post, “A Guide to the CIO’s Toolbox” for or an exhaustive (by blog standards), thoroughly detailed overview of these technologies – and do it soon. There is no time like the present to get the data-centric ball rolling. According to our ITR, forty-four percent of U.S. respondents report their organization had experienced a data breach or failed a compliance audit in the last year.
Looking into the Compliance Crystal Ball
While the future of compliance may be murky, it certainly doesn’t mean organizations are SOL. Embracing and implementing the tactics presented above will put most companies in a much better position than it would if they say, used PCI DSS alone to govern their data security strategies. We also understand that – regardless of how an organization may feel about a compliance standard’s efficacy – those standards must be met to avoid cumbersome fines.
With this in mind, our data security solutions are architected in a way that allows organizations to achieve compliance, whether it be financial, medical or governmental. We can pretty much guarantee we’ll always be one step ahead (and that’s part of the problem!)
If we could have our way with the crystal ball, we’d also ask to see a national breach notification law put into effect. Currently, all but three states have their own data breach notification laws. While this is commendable, differing state laws can often lead to confusion and inertia.
As of publication, Congress was considering the Data Security and Breach Notification Act of 2015. In our opinion, a successful national bill would one that requires public notification in the event of financial and/or personal privacy breaches.
Breaches are embarrassing. A national data breach notification law makes them even more so. In this case, we think a little embarrassment would go a long way.