“Check the Box” Compliance Isn’t Enough
How does your company handle security compliance? Is your approach to security bare minimum or next level? Does your company follow through with recommendations after they check the boxes? Security compliance is a good and necessary starting point for regulated industries whether it’s HIPAA, PCI-DSS, FISMA, etc. However, compliance regulations alone are not meant to be foolproof. They are benchmarks that offer a standardized approach to help protect people and businesses. While it is true that meeting compliance does equal a higher level of security, it is often not enough.
Remember when Target was breached on Black Friday 2013 just weeks after passing a compliance check? Target Chairman, President and CEO Gregg Steinhafel states, “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” This costly litigation (as well as countless others) provides proof that a minimalist approach won’t cut it when it comes to cybersecurity efforts.
Businesses have to take security beyond the compliance requirements and think ahead rather than only taking a reactive approach. Are you aware that often compliance lists are formed based off of past attacks, but do not take into account new threats? There’s no doubt that security threats are ever changing and that hackers’ tactics are always evolving. Companies need to stay ahead of the game and take cybersecurity to the next level.
Does your company test your policies and procedures to look for security gaps that may not be covered by regulatory compliance? How often will your company audit its policies and controls? Don’t wait for the mandatory audit to come to your workplace. Test yourself and confirm that you have eliminated vulnerabilities. Consider every third party and fourth party vendor you contract with. Have you vetted each one carefully? Clarify all responsibilities for security practices. TechGuard performs IT Security Controls Audits across all industries to ensure businesses achieve security beyond “check box” compliance.
TechGuard positions organizations to mitigate, transfer, accept or avoid information risk related to people, processes and technology. An established strategy also helps the organization adequately protect the confidentiality, integrity and availability of information. A TechGuard Cybersecurity Consultant will review and/or assist with the development of standards and policies. The consultant will perform a procedures review and gap analysis all based on your industry regulatory compliance.
You can probably relate to a time at work when a third party came in to audit compliance. Employees were celebrating the moment the auditors left the building. Everyone was relieved assuming your organization passed the audit and ready to relax after the accomplishment. If this scenario hits home, consider the message that leadership is sending about required audits. Do employees get the distinct impression from leadership that required audits are nothing more than an inconvenience that everyone must muddle through miserably? Organizational leaders themselves must understand and buy-into the vital importance of security and convey this message to get employees to have buy-in. Leaders need to carefully consider the appropriate allocation of resources when thinking about security. In addition to financial resources, employees’ time needs to be taken into consideration.
Think long-term and comprehensive with regards to employees’ perception regarding security efforts and audits. Employees will never have authentic buy-in if you present a security task to complete without continuing reinforcements or without seeing buy-in from the top-down. Not only is it important to take security compliance audits seriously, but understanding and conveying the benefits of the audits to employees is also critical. A well-crafted communication campaign is an important piece to raise awareness about the real value add of your security efforts.
Employees Must Buy-In
Giving employees a standard to meet once every 6 months is not enough to stay ahead of current threats and to influence employees’ buy-in. An interesting example that comes to mind is a story about a CEO who wanted his employees to understand the company’s mission. He sent an email to all of the employees explaining what the company’s mission is. He struggled to understand why they replied to a survey stating that they did not understand the company’s mission and overall direction.
Consider how many employees actually read the email. Of the employees who read it, think about how many really understood the message. Out of those who understood the message, how many employees actually took it seriously? Next, out of the employees left, how many will remember it? Of those employees, who will change their behaviors based on the memo? Employees may view a checklist of compliance standards in the same manner. Reflect on who will really take the security measures to heart and who will do the bare minimum that is asked. In addition a “check the box” mindset doesn’t offer sustainable behavior change and consequently no real cybersecurity for your organization or protection of your reputation.
Apply the same logic to security awareness training programs. Good training requires ongoing reinforcement for new vulnerabilities. Consider how often you’ve heard teachers share how quickly students forget their knowledge after a break from school. Consider how many times you need to see and hear a message before it really sticks. TechGuard’s Security Awareness Training Courses use logical real world examples and adult learning principles to engage the participants.
Take Compliance to the Next Level
There’s more to compliance than meets the eye. Take time to expand the compliance checklist. Appreciate the checklist as a starting point but remember to ask additional questions about your security practices. Do you and your employees understand why you are following the compliance checklist? For instance, take time to ensure your employees understand why they need to follow your company policy on remote working. Confirm that they really understand different attack types that they could be exposing the company to by breaking a policy related to remote work. Providing strict rules to support security is great, but if employees can understand what’s really at stake then they are more likely to take the rules more seriously.
Last, learn from the mistakes of others. Breaches will continue to take place. Consider what mistakes occur. Apply the lessons learned to your own organization. A good way to think about compliance training is to equate it to a driver obtaining their driver’s license at the DMV. Holding a driver’s license doesn’t guarantee that they are a safe driver. It just means they passed the required minimum standard for testing. Don’t let your company fall victim to the mentality that “check the box” security is good enough!