By Davitt Potter
Sr. Engineering Manager, Cybersecurity
Arrow Enterprise Computing Solutions
Compliance mandates, such as PCI DSS, HIPPA, SOX and FISMA, are necessary for organizations to meet stringent regulations, and avoid fines and other penalties. However, many organizations are left wondering if simply being compliant is enough to keep their assets, as well as their customer’s information, safe? The following three myths will explore how simply being compliant can still leave your customers organization vulnerable to data breaches, attacks, or leaks.
Myth 1: Payment Credit Industry Data Security Standards (PCI DSS) is Only Necessary for Large Businesses
For the sake of your customers data security, this myth is most unequivocally false. No matter the size, organizations must meet with Payment Card Industry Data Security Standards (PCI DSS). In fact, small business data is very valuable to data thieves and often easier to access because of a lack of protection. Failure to be compliant with PCI DSS can result in big fines and penalties and can even lose the right to accept credit cards.
Credit cards are used for more than simple retail purchases. They are used to register for events, pay bills online, and to conduct countless other operations. Best practice says not to store this data locally but if an organization’s business practice calls for customers’ credit card information to be stored, then additional steps need to be taken to ensure to ensure the safety of the data. Organizations must prove that all certifications, accreditations, and best practice security protocols are being followed to the letter.
Myth 2: Our customers have a great compliance strategy, so they must be secure.
Simply meeting compliance standards does not mean that customers’ data will remain protected. All too often organizations think that if they are strictly following the guidelines, then the data stored will be secure. Organizations must continue to manage, monitor and secure their data on a perpetual cycle. An IT expert should be assigned to monitor and track data movement to alert on unusual behavior. Tracking includes blocking, tackling, to prevent malware attacks. In short, it is not enough to simply adopt a “check-the-box to compliance” approach. Organizations must ensure that data remains protected at all times, this can mean working with a trusted and knowledgeable security adviser if the organization does not have the bandwidth or expertise in-house.
Myth 3: My customers are compliant, and have never had a breach before; so what they’re doing must be working.
Never having had an incident is not the same as complete protection. It really just means that your customers have been lucky so far. The chilling reality of today’s digital world is that most organizations don’t know that they have been breached until a law enforcement agent or a third party member contacts them. Be sure to conduct risk assessments on your customers past, current, and future security protocols. For example, implementing a user-access system where each user must have a unique username and password, will meet the HIPAA compliance requirement, however, your customer is still vulnerable to attack through malware and other methods that are increasingly more sophisticated and harder to detect.
To be both compliant and secure, your customer must make security the number one priority. Instead of simply providing users with a unique name and password, make changes to restrict their access to job related functions only, employ two-factor authentication and set up regular training on best practices. Employees should only have the minimum level of access to data that is required to do their jobs. This approach will limit the damage that can be done if an employee unwittingly has their credentials stolen or intentionally accesses the system to steal data.
Meeting compliance, while improving data security is not an easy endeavor. Each compliance standard requires organizations to document and report on the standards set forth. Your customers need to understand that they would easily meet basic compliance standards by focusing on providing the highest level of security possible, killing two birds with one stone. Arrow Enterprise Computing Solutions offers a comprehensive portfolio from the world’s leading technology suppliers to solve your customers most pressing network, computing, and security issues. Arrow connects your organization with the unique tools and services needed to achieve compliance and enhance security efforts. Contact firstname.lastname@example.org for more information.
Editor’s Note: This post was originally published in September 2015 and has been updated for accuracy and comprehensiveness.