Depending on the industry your business operates in, there may be specific compliance regulations regarding the handling of data that you need to conform with. Whether it’s HIPAA, HITECH, or PCI DSS, these regulations are put in place to protect consumer information with technological standards and best practices. A problem businesses often run into with compliance laws is that they assume a false sense of security once they feel they’ve satisfied the basic requirements of any compliance regulations relevant to them. They check off a given list of requirements to pass an audit and move on. This “checkbox compliance” leads to a lack of proactive thinking about security and protection against security breaches. As has been reinforced by recent data leaks in the news, such as the Ashley Madison incident, such episodes can have an enormously negative impact on a company’s reputation and revenue. While passing compliance audits is clearly important, let’s take a look at why compliance standards should be viewed only as a minimum baseline for a business’s overall security strategy.
Why isn’t just passing an IT compliance audit good enough?
While compliance regulations enforce important consumer protections to safeguard personal data, they often lack the specificity to give a true indication of how secure a company is. For example, an organization might merely be asked whether they have a password policy or not. This yes or no question does little to uncover the specifics and stringency of the actual policy: how often are passwords required to be changed? How strong are passwords required to be? In this sense, passing an IT audit does little to ensure sufficient levels of security have been achieved. In fact, passing IT audits often comes down to the preferences of the individual auditor working with the organization to come up with some requirement to pass the audit-- so they can both “check the box” for that particular requirement and move on.
Using an IT compliance audit as a baseline
Instead of viewing IT compliance audits as the goal to be achieved, these requirements should be viewed as a baseline upon which to build your company’s security strategy. Working with your IT company, you should go through the requirements of a particular audit. If there are any holes in your business’s technology strategy or practices, these need to be be addressed first and foremost. One these basic requirements have been satisfied, businesses are well served by going back to the requirements of the audit and figuring out ways that the controls in place can be strengthened while maintaining compliance and limiting collateral damage to the organization.
While adding increasingly complex security measures can be worthwhile, consider the impact on your organization's culture and the morale of employees as well. We’ve all experienced those situations where people have become so frustrated by the frequency with which they’re required to change their password, they start to write it down on pieces of paper so they remember it that are then left lying around the office-- not a good practice for data security!
Ultimately, instituting expanded data security processes is a balancing act between convenience and security. While your business won’t receive any extra credit from auditors as a result of above and beyond the requirements of compliance regulations, there is a greater impact in ensuring your business’s IT practices and systems are as secure as they can be. Not only is increased data security a potential differentiator for you but also minimizes the chances of catastrophic data leaks.
Work with an IT company to build a security plan
By starting with the mindset of being as security conscious as possible, chances are your business will pass any IT compliance audits without issue. Work with an IT company to identify potential risks that are specific to your organization: Do you have identifiable systems or processes in place that lack necessary controls? Are your employees fully educated and aware of the impact their behavior has on your overall security?
Once potential risks have been identified, businesses should measure the likelihood and impact of the risk becoming an issue and examine and implement solutions to address the concern. Once a solution is identified and implemented, ongoing monitoring is necessary to ensure your implemented plan is effective. A proactive approach to security not only includes going above and beyond compliance standards, but the continuing analysis of potential security risks. New dangers and concerns arise all the time, but it’s how businesses adapt to these that helps minimize their security risks.
By taking this proactive approach to security, passing compliance audits should almost become a secondary consequence: a minimum baseline you have already more or less achieved by going above and beyond in your security strategy.
Have you ever had experience with IT compliance audits? What role did they play in the focus on security for your business? Let us know in the comments below.
If you would like to learn more about avoiding checkbox compliance as part of your cyber security plan or have any other questions about IT as part of a comprehensive IT support strategy, don’t hesitate to contact us today to speak with an IT expert.