TechGuard Blog

'Check the Box' Compliance Isn't Enough

How does your company handle security compliance? Is your approach to security the bare minimum, or is it next level? Does your company follow through with recommendations after they check the boxes? Security compliance is a good and necessary starting point for regulated industries, whether it's HIPAA, PCI-DSS, FISMA, etc. However, compliance regulations alone are not meant to be foolproof. They are benchmarks that offer a standardized approach to help protect people and businesses. While it is true that meeting compliance does equal a higher level of security, it is often not enough.

Remember the 2013 Black Friday breach that hit Target just weeks after it passed a compliance check? Target Chairman, President, and CEO Gregg Steinhafel states, "Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach." This costly litigation, among others, proves that a minimalist approach to cybersecurity isn't sufficient.

Businesses have to take security beyond the compliance requirements and think ahead rather than only taking a reactive approach. Are you aware that compliance lists are often formed based on past attacks and do not even consider new threats? There's no doubt that security threats and the tactics of cybercriminals are constantly evolving. Companies need to stay ahead of the game and take cybersecurity to the next level.

Audit Yourself

Does your company examine your policies and procedures for any security gaps that regulatory compliance may not cover? How often will your company audit its policies and controls? Don't wait for the mandatory audit to come to your workplace. Test yourself and confirm that you have eliminated vulnerabilities. Consider every third and fourth-party vendor in your supply chain. Have you vetted each one carefully? Clarify all responsibilities for security practices. TechGuard performs IT Security Controls Assessments across all industries to ensure businesses achieve security beyond "check box" compliance.

TechGuard positions organizations to mitigate, transfer, accept or avoid information risk related to people, processes, and technology. An established strategy also helps the organization adequately protect the confidentiality, integrity, and availability of information. A TechGuard Cybersecurity Expert will review and assist with the development of standards and policies. The expert will perform a procedures review and gap analysis based on your industry regulatory compliance.

Top-Down Culture

You can probably relate to a time at work when a third party came to audit compliance. Employees were likely celebrating the moment the auditors left the building. Everyone was relieved, assuming your organization passed the audit and ready to relax after the accomplishment. If this scenario hits home, consider the message that leadership is sending about required audits. Do employees get the distinct impression from leadership that required audits are nothing more than an inconvenience that everyone must muddle through miserably? Organizational leaders themselves must understand and buy into the vital importance of security and convey this message to get employees to have buy-in. Leaders need to carefully consider the appropriate allocation of resources when thinking about security. In addition to financial resources, employees' time needs to be taken into consideration.

Think long-term and comprehensive with regards to employees' perception regarding security efforts and audits. Employees will never have authentic buy-in if you present a security task to complete without continuing reinforcements or without seeing buy-in from the top-down. Not only is it important to take security compliance audits seriously, but understanding and conveying the benefits of the audits to employees is also critical. A well-crafted communication campaign is an important piece to raise awareness about the real value-add of your security efforts.

Employees Must Buy-In

A standard for employees to meet every six months is not enough to stay ahead of current threats or influence employees' buy-in. An interesting example that comes to mind is a story about a CEO who wanted his employees to understand the company's mission. He sent an email to all of the employees explaining what the company's mission was. He struggled to understand why they replied to a survey stating that they did not understand the mission and overall direction.

Consider how many employees actually read the email. Of the employees who read it, think about how many understood the message. Out of those who understood the message, how many employees took it seriously? Next, out of the employees left, how many will remember it? Of those employees, who will change their behaviors based on the memo? Employees may view a checklist of compliance standards in the same manner. Reflect on who will take the security measures to heart and who will do the bare minimum asked. In addition, a 'check the box' mindset doesn't offer sustainable behavior change and consequently no real cybersecurity for your organization or protection of your reputation.

Apply the same logic to security awareness training programs. Good training requires ongoing reinforcement for new vulnerabilities. Consider how often you've heard teachers share how quickly students forget their knowledge after a break from school. Consider how many times you need to see and hear a message before it sticks. TechGuard's Security Awareness Training Courses use logical real-world examples and adult learning principles to engage the participants.

Take Compliance to the Next Level

There's more to compliance than meets the eye. Appreciate the checklist as a starting point but remember to ask additional questions about your security practices. Do you and your employees understand why you are following the compliance checklist? For instance, take time to ensure your employees comprehend why they need to follow your company policy on remote working. Confirm that they understand different attack types that they could be exposing the company to by breaking a policy related to remote work. Providing strict rules to support security is great, but when employees understand what's really at stake, they are more likely to take the rules more seriously.

Last, learn from the mistakes of others. Breaches will continue to take place. Consider what mistakes occurred during those breaches. Apply the lessons learned to your organization. A good way to think about compliance training is to equate it to a driver obtaining their driver's license at the DMV. Holding a driver's license doesn't guarantee that they are a safe driver. It just means they passed the required minimum standard for testing. Don't let your company fall victim to the mentality that 'check the box' security is good enough!