Data Compliance is not Data Security
What does it mean to be compliant? Compliance is the state of following rules and regulations and conforming to specifications, policies, standards or laws within those regulations. There are data security rules that can come from industry or legislative compliance guidelines. Every company may have their own data security compliance standards that vary. Financial institutions and medical companies likely have various requirements and policies for storing data for their company or their consumer. Falling out of compliant can have adverse effects on your business and your customer.
Has your company or a company you know of failed a compliance audit? Many security models are built off of the necessity to meet compliance regulations. While it is understandable to build compliance-driven security initiatives, it is not a best practice.
Some of the many reasons that companies build compliance-driven security initiatives is that they are trying to reduce cost and time spent. However, there is a win-win to data security that goes beyond just saving time and money achieving compliance, but that starts with accurately identifying and classifying the sensitive data that needs to be protected. This can accomplish both, compliance and security initiatives, quickly and inexpensively.
What is Data Security?
The basis of data security is taking security measures to keep information safe. Whether the information is stored on a computer, mobile devices, flash drive, CD, or any other stationary or removable device. Having good data security practices in place helps ensure you and your customer’s privacy. Often, data security is a mix of encryption and redaction, these processes block out various parts of the stored data so they can not be read.
Our conversations with potential customers suggest that the reasons why folks primarily worry about compliance are many:
- If my security program is compliant with regulations X, Y or Z, I can’t get fined because I am putting forth a reasonable effort
- The folks writing the rules know what they’re doing, so I’m secure if I just do that
- Our industry/company isn’t really targeted, and/or we haven’t been breached
- Our budget is too small to thoroughly protect ourselves, and so by necessity we need to just focus on being compliant
Often times, failing a compliance audit propels rapid action and can break loose budget increases here and there, especially if aided by misconceptions like the ones above. However, achieving compliance alone is not sufficient anymore to reduce corporate exposure to information security risk.
For one, a failed audit may be the motivating driver but being in compliance does not only not guarantee protecting your sensitive data, it increasingly also does not insulate from penalties, as recent rulings suggest.
- Recent penalties and fines for have ranged from hundreds of thousands to as high as $25M, in many cases to organizations that thought of themselves as having been in compliance
- Also, most of the organization that experienced spectacular hacks were in compliance, and thus while compliance is clearly necessary, it is not sufficient to achieve information security
A second reason for why compliance is not the same as security is because some data is not regulated. Intellectual property, for example, or other forms of valuable data that does not fall under regulations like personal emails, corporate sales data, or upcoming product information are all types of unregulated data that nevertheless are highly sensitive, and losing them could mean financial exposures.
Having now illustrated why being in compliance is not the same as being secure, it’s also important to understand what the consequences are of not being in compliance vs. not being secure if a breach event happens. This little decision tree illustrates the consequences and likely costs:
The win-win is that by knowing where your sensitive data is, compliance AND security improve without slowing things down or adding costs:The need to not only be compliant, but also to implement an effective security strategy while striving for compliance, the question then is how to do so without driving up costs or complexity beyond the original, compliance driven goals. The short answer is that this starts with classification so you know where your sensitive data resides.
- You can be compliant with PCI, HIPAA and other standards using data classification
- By knowing where the sensitive data is you know which security strategies can best be leveraged to protect it and makes your overall security spend more efficient
- Automation, accuracy and persistence are key to effective data classification
- You can protect both structured and unstructured data, no matter what type of sensitive data, and deploy not just manual but also automated classification
As service providers one of the key components in your customer relationship is trust. Without attestation of trust a customer is unlikely to continue to look for services from you. In a time when hacking and other vulnerabilities continue to become more frequent data protection becomes key. Security breaches be terrifying and costly. As such, having good data security standards and being in compliance can help prevent security risks.
Combine both worlds: To prevent data breaches and identity theft AND be compliant.
At Spirion we can help you with the best practices in data security compliance. Whether you have recently experienced a security incident, or you are just starting to work with compliance standards and security management, we can help provide a risk assessment and keep your data stored safely. Raise your standards and let us know how we can help with the security and compliance of your data!