Rebecca James

Enthusiastic Cybersecurity Journalist, A creative team leader, editor of privacycrypts.com.

Compliance is Not a Guarantee Against Data Breach

When it comes to combating the ever-growing threat posed by data breaches, most organizations believe that compliance is key. With cybercriminals targeting governments, small businesses, and other essential infrastructure- the need to minimize the impact of these attacks is at an all-time high. 
However, contrary to popular belief, simply being compliant with the laid out rules and regulations is not going to cut it anymore. Bearing witness to the ever-pressing threat of data breaches, and how compliance isn’t the key to guaranteeing security in organizations are the findings of the Advisera survey, conducted with 605 respondents. 
Advisera conducted the survey anonymously, and the 605 respondents were based on countries on five continents, hailing from various industries. In addition, most of the respondents hailed from medium to smaller organizations and occupied security and IT positions in their respective companies.
Before we can get into the key findings of the survey, let’s have a look at the primary reasons behind data breaches, particularly in organizations. 

What causes data breaches in organizations?

As far as the cybersecurity infrastructure of an organization is concerned, the notion that security is only the responsibility of the IT department is quite outdated. As cybercrimes continue to evolve in sophistication, an organization’s employees also play a pivotal role in fighting the good fight against data breaches and hacks. 
To demonstrate the point above, the findings of the survey revealed that 41.14% of respondents wholeheartedly agreed that untrained, or poorly trained employees were the root cause of data breaches. Moreover, following untrained employees, 17.73% of respondents agreed that a lack of technical safeguards and security processes lead to data breaches. 
As per the respondents of the survey, a failure to comply with regulatory laws was seen as the least important reason for breaches. 
Keeping in mind the findings of the survey, the following assumptions about the surveyed individual’s answers can be made: 
The most frequently employed tools used cyber criminals to target organizations include launching social engineering attacks and targeting technical loopholes- both of which exploit an employee’s lack of cybersecurity training. 
As far as complying with data regulations is concerned, organizations should focus more on creating an effective risk management strategy, rather than blindly adhering to the rules. Since the regulatory data rules can’t possibly contain a solution to all situations, organizations must have proper risk management approaches. 
Instead of blind compliance, businesses should focus on analyzing current loopholes within their cybersecurity infrastructure, including incorporating elements of physical security, along with data encryption and authentication within their security strategies. 

Is compliance more essential than security for an organization? 

When respondents of the survey were asked about their company’s leaning towards cybersecurity or compliance, a staggering 61.98% of the surveyed individuals responded that security and compliance are both equally important and should be given the same importance. 
The emphasis that the respondents of the survey placed on the bond between compliance and the overall security of an organization can also be seen in their answer to the relationship between compliance and security. A whopping 84% of all the respondents agreed that the implementation of both compliance and cybersecurity is tightly wound together. 
Based on the responses given by the survey takers, the following underlying notions can be assumed: 
Rather than treating compliance with data regulations as entirely different from implementing security in an organization, businesses should focus on the correlation between them.
Furthermore, the answer respondents gave in regards to the relation between security and compliance, may also be based on the fact that while implementing new security measures, most security managers need to take into account laws and other legal agreements. 
As far as the 62% of respondents who wanted organizations to treat compliance and security equally are concerned- in order to provide the same importance to complying with rules and implementing safety, organizations need to set a specific benchmark to satisfy suppliers as well. 
Amongst these benchmark rules, companies need to consider satisfying auditors and other third parties with their security decisions, along with looking for the maintenance of fundamental security goals, such as the minimization of incidents of cybercrimes while still maximizing on new business opportunities and goals. 

What are the biggest concerns in enacting security and compliance within organizations?

Although the practice of training employees and fostering a more cybersecurity conscious environment within an organization might seem like a practical solution to the persistent risk of data breaches and hacks, implementing it is much easier said than done. 
Moreover, when the 605 surveyed respondents were asked about the pressing compliance and security concerns, a majority of them listed the harm that data breaches did to an organization’s reputation as their first choice. 
The damage that breaches cause to a company’s reputation was immediately followed by the lack of security education and cybersecurity awareness within employees, along with fear for the new hacking methods that cybercriminals might employ. 
The findings of the survey brought into light the underlying belief that many employees hold sacred- the belief that the organization that they work for is a reputable one. Furthermore, reputation is a notion that takes years to cultivate. Even the prospect of a data breach can shatter that belief, and tarnish an organization’s value to nothing. 
The respondent’s answer also bears witness to the magnitude of shortcomings that employees have in regards to being prepared for a potential breach, or cybercrime for that matter. In order to foster a conscious cybersecurity environment, organizations need to pay more attention to security measures that involve everyone. 

Some simple security measures organizations can urge employees to practice include:

Installing ant-virus software and updating it frequently. 
Examining ‘sketchy’ emails, for any suspicious links, since they are highly likely to propagate malware and spyware into the company’s network. 
Avoiding surfing any blacklisted websites. 
Banning transferring files via a USB flash drive, since they are the most common vectors of spreading viruses and malware files. 

To conclude:

As per the findings of the survey conducted by Advisera, the relation between ensuring cybersecurity, and complying with data regulations and laws has never been more apparent. 
As businesses become more and more ‘tech-savvy,’ the relation between compliance and security is going to get even more complicated.
Taking this into consideration, organizations need to realize that time is of the essence and quickly come up with security measures that detect the threat of data breaches in its early stages, along with satisfying all involved parties.

Tags

Comments

October 15th, 2019

Hi there, Yeah sure.

More by Rebecca James

Topics of interest