blog hero2x
Data Security & Privacy

The Importance of an IT Security & Compliance Partnership


By Josh Young Nov 10, 2016

With the steady increase of government regulation and industry standards, compliance officers and associated departments have grown more critical to keeping businesses on the right side of the law.

Thanks to several key pieces of legislation -- particularly the Health Insurance and Accountability Act (HIPAA) and the Homeland Security Act -- aspects of your company's IT security and management can possibly fall under government regulation.  And these requirements can easily vary by region. For example, there are currently 47 unique state statutes regarding data breach notifications.

Unfortunately, many businesses operate their IT security and compliance programs independently -- a strategy that can leave them vulnerable.

Compliance Isn't Enough

After all, compliance does not necessarily mean that an environment is secure. And few businesses are more aware of that fact than Target.

Back in November 2013, the company's payment systems were compromised by malware, resulting in the theft of 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.

Perhaps most troubling -- the retailer had been certified compliant with the payment card industry (PCI) standard only two months earlier.

The Human Factor

Security systems have their limitations. Even if your architecture could stop 100 percent of incursions -- which is wishful thinking at best -- your systems are still vulnerable to less direct methods, namely attacks routed through your company's employees.

Criminals and scammers frequently take advantage of social engineering attacks and the naiveté of staff to bypass your security measures. In fact, according to a 2016 study conducted by the Ponemon Institute, roughly 25 percent of the security incidents examined could be attributed to employee negligence.

Research conducted by Enterprise Management Associates, Inc. (EMA) found that 58 percent of employees store confidential information on mobile devices, which 30 percent frequently leave in vehicles unattended. In the same study, 35 percent of respondents admitted to clicking on links contained in phishing emails.

Of course, regular employees are not the only personnel-based vulnerability. In the Target data breach already mentioned, the business had in place a comprehensive $1.6 million anti-malware system that had detected the threat and notified IT security staff.

And the team failed to respond -- a failure that cost the business over $100 million dollars.

It doesn't matter how complex or effective your company's security protocols are if they aren't followed. A sound cybersecurity compliance plan can help your business avoid similar missteps.

How Can You Integrate Your Security and Compliance Efforts?

Create comprehensive policies

Your company's cybersecurity policy should not be solely created by your IT team. Nor should your compliance guidelines be developed independent of security protocols. You need these two departments to work together when determining company policy.

Consider including compliance staff in the planning of network and security architecture, relying on them to keep an eye out for any regulatory issues or requirements that might arise.

Evaluate the "human element" for any new systems or security threats, determining how employee action (or negligence) could play a role and what measures could be taken to balance this influence. Then establish clear policies that outline expectations for your employees, particularly concerning password safety and device management.

Train everyone

Who do we mean by "everyone"? Everyone. Every employee in your company. From the seasoned CEO to the greenest intern, make security awareness training a priority. And be sure to incorporate any company cybersecurity policies into this education.

Scammers routinely target senior executives -- who often skip out on "mandatory" training -- with whaling attacks focused on stealing their credentials. For example, an aerospace parts manufacturer in Austria lost $47 million to thieves who had only hijacked the CEO's email account.

By providing training to all of your staff, you can empower them to more quickly identify and respond to potential threats. And with more cyberattacks relying on a social engineering element, your company needs to be prepared.

Conclusion

To protect your organization from the multitude of cyberthreats that exist today, you need a comprehensive strategy that integrates both IT security and compliance efforts. By coordinating these two elements, your organization can capitalize on both its technology and personnel to create a unified front against outside threats.

To learn more about our security awareness courses and how you can better prepare your staff, fill out the form on the right to request a demo.

Workplace Answers &
Click 4 Compliance Join Forces

We’ve created the world’s most comprehensive and engaging online compliance training library for companies around the globe.

Learn more View courses

We're sorry this resource is no longer available, we've redirected you to our Resource center.