Last week I sat down with a business owner to discuss his IT needs and the topic of security inevitably came up. When I inquired about the measures the company was taking in order to protect their data from a potential online breach, the confident answer I received was something I actually hear quite often:
“We are HIPAA compliant.”
The fact is, regardless of what regulatory standard your business happens to fall under (PCI, HIPAA, 201 CMR 17.00, etc.), if you’re relying on this type of compliance to also keep your sensitive data safe, you are most certainly placing your company at risk.
Simply put, regulatory compliance and cyber security are entirely different things.
Don’t believe me? Surely you recall the massive Target security breach that occurred in 2013, through which more than 40 million credit and debit card numbers were stolen. The retail giant took a huge financial and reputational hit, with stock prices plummeting and disgruntled customers opting to take their business elsewhere.
Did you know that just two months prior to that breach the company was validated as PCI-compliant?
That’s right. Just weeks before hackers were able to infiltrate Target’s network and compromise the sensitive financial data of millions of individuals, the company received the green light that they met the regulatory compliance for information security.
At the time of the breach, the company was, indeed, in line with PCI regulations. The problem is, that means little to nothing when it comes to network security.
One of the main reasons being compliant doesn’t necessarily mean you’re cyber secure is because the two types of security measures focus on different areas. For instance, HIPPA compliance is more about protecting patient information than it is about keeping the actual business secure. Additionally, compliance regulations are very broad in nature and are therefore open to interpretation. In other words, they mean different things to different people. For the most part, provided a business is taking “reasonable” measures to keep information safe, they will meet compliance criteria.
Unfortunately, just being “reasonable” in keeping your customer or employee data secure doesn’t mean much of anything to a hacker. In fact, if you’re not taking appropriate cyber-security related measures – such as monitoring, malware and employee education – to fortify your defense, you are the perfect target for cyber criminals.
Another reason relying on compliance for network security isn’t wise is because the nature of compliance is intermittent. Take PCI compliance for example. Measuring this occurs only at certain specified intervals, such as quarterly or annually. If you’re only checking on your company’s data security once a year, you’re leaving yourself extremely vulnerable in the interim.
Essentially, all a compliance audit really does is provide a snapshot of how secure you are at a given moment in time. Cyber criminals, on the other hand, are working around the clock – 24/7/365 - to achieve their malicious intent. A good defense two months ago will mean nothing today.
Finally, it’s important to point out that cyber-attacks are evolving and becoming more sophisticated every day. Compliance standards, on the other hand, may take years to develop. In the meantime, the many threats to your business will have changed, becoming more persistent, more invasive and more destructive than they were even just a few days prior.
If you are relying on your compliance status to keep your network and sensitive data secure, you are relying on an outdated and inadequate resource. More importantly, you are placing your business at a much greater risk of a potential breach.
What happened to Target and countless other businesses could very easily happen to you. To avoid becoming a victim, it’s critical that you develop and maintain a comprehensive security strategy that goes far beyond basic compliance requirements. This is the only way to ensure that your information, network and brand reputation remain safe from harm.
Not sure where you stand? Give us call at 617-718-5454. We can conduct a thorough assessment to determine whether you are truly secure and provide you with the guidance you need to achieve maximum protection.
Andrew K Sharicz, CISSP
Andrew has been in technology for 20 years, working with organizations whether they have just one or thousands of computers, helping them increase their productivity and keep their data safe and secure. He's a big fan of dispensing with the geek speak and bringing practical solutions for business owners that want to stop fighting with their computers and start getting stuff done. Andrew is the CTO of Netlogic Computer Consulting of Nashua, NH and Newton, MA, a regional IT services firm providing support, cloud and security consulting to New England small and medium sized businesses. You can contact him at asharicz@netlogiccomputer.com, 603-546-6422 or through www.netlogiccomputer.com
The Landy Insurance Agency is a national leader in providing non-medical, professional liability and cybercrime insurance for accountants, attorneys, and real estate professionals. John can be reached at 781‐292‐5417 or johnt@landy.com. Visit www.landy.com for more information.
If you are an insurance producer looking to register with us or obtain coverage for your client, please visit our Partner Resource Center for information.