Thousands of laptops and mobile devices, hundreds of servers, applications with various levels of access, databases that hold critical information, and people moving around doing things in those systems. What are they doing? Do you know? Are you sure the users are doing only the things that they should be doing and nothing more? Are you able to say that your critical business data is safe, not accessed by unauthorized people, and have a report showing that? Just because you throw technology into your business to do awesome, cool things on the latest iPhone app means your responsibility ends there. With great power comes great responsibility, that responsibility is being compliant to regulations and common sense practices.
The scary thing is most companies are not.
The compliance I am talking about is not just the federal or industry regulations (FFIEC, PCI, HIPAA, EMEA, SOX, etc…) it’s any and all compliance rules you need to meet. Depending on the size of your company you probably have a department just for Audit and Compliance, you may even have a C level officer for compliance. If not, you should. Compliance are the IT laws you should work by and if you think you are too small or don’t deal with enough people to put any time and money into it then here’s exactly what you are saying…. “I value you as a customer, but not your data.”
At the end of the day business interests and integrity MUST take precedence over an individual’s inconvenience around compliance guidelines. All it takes one public breach and you won’t have to worry about either any more.
The threat of severe damage to your company, the industry and potentially national security is what’s at stake. Don’t think it’s not. Image what would happen to the country if Mastercard or Visa had their core databases compromised and every single card holder’s debt, credit, and personal information was taken. Used in the right way it could cripple the national financial system. It may be an extreme case, but your company by itself can be shut down just by a viral Twitter run of your breach.
Compliance is there to help everyone. It may be a pain in the butt and expensive to implement but it’s not anyone’s fault but your own if you do not take that into account in your project or department’s budget. This should not be an optional feature but a required line item.
Reporting, certifications, attestations, applied business rules directly into your access systems, real time log analytics, segregation of duties, encrypted communications, password expirations, multi-factor authentications, approval workflows, and so on. All things that seem like common sense but are passed over and not implemented time and time again and year after year companies big and small fail audits and never fix these.
I actually know a company that does not use encrypted communications behind their firewalls, LDAPS, HTTPS, etc… the answer I heard was this – “Too much processing overhead”. True story. As ridiculous as that answer is, they are leaving themselves open to a world of hurt if their perimeters are compromised, or an employee gets disgruntled.
The business needs to have that complete picture of what’s going on. Accounting has a record and knows where every penny is, why not the same focus on the bytes?
When it comes to tracking the people, the largest threat to your company, an full Identity and Access Management system is required. You may start small, but your end goal is the same. To allow the business that single user view of who they are, what they did, what they tried to do, when they did it, and who approved them to do those things. Making sure your IT infrastructure is protected and locked down will complete the primary requirements of most compliance requirements. It seems so simple, yet knowing who has access and where they are eludes so many companies it’s scary.
Compliance can be ignored and half-assed only for so long. It would not surprise me that in the near future if a company of significant size has a massive, damaging breach that regulations would be changed that would shut down your business until you meet the requirements. No more extensions, increasing fines, years of second chances. You get a warning, a timeline to fix it, and if you do not you are shut down until you do.
It’s only a matter of time before the federal regulators step in and protect your user’s data if you do not.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.