Many aspects of our lives involve the creation, storage and exchange of very sensitive digital data that is governed by a variety of detailed compliance mandates. From a business perspective, compliance is a critical framework without which many sectors – particularly financial services, retail, the public sector, and in fact any company offering services to the general public – would struggle to operate effectively, or indeed at all.
Of course it’s very important for these guidelines and regulations to be in enforced. They help to ensure a minimum standard of security and professional conduct, providing organisations with a list of requirements to work towards and maintain.
What’s important to consider, though, is that there are some issues when it comes to evaluating the level of security that meeting compliance mandates brings to your organisation. It is important to ask whether compliance is creating a sense of complacency.
Part of the problem is that the cyberattack methods targeting corporate data evolve daily and hourly, but compliance regimes are updated over months or years. As a result, this often means that compliance mandates force organisations to use protection methods that become outdated very quickly. Any belief that compliance mandates will provide absolute security to the business can therefore put you at risk. Target, for example, as well as many other recently breached organisations have passed compliance audits not long before falling victim. An additional point is that mandates will typically only cover a small set of an organisation’s data, leaving large amounts of information (that could still be very sensitive) potentially at risk.
It’s interesting that, in the recent Insider Threat Report, conducted with industry analyst firm Ovum, compliance is the primary driver for securing sensitive data in Europe, but reputation and brand protection are very close behind. I believe we are seeing a shift in mind-set as organisations realise that there are limitations in relying on compliance alone. What’s a little concerning, however, is that 40 percent of UK respondents reported that their organisations have encountered a data breach or failed a compliance audit in the last 12 months, so we do still have some way to go.
With determined attackers able to breach any organisation’s perimeter, it’s time to realise that compliance alone cannot be relied on to protect data. Instead, protection directly around all sensitive data is becoming a requirement for all businesses today.