Being compliant does not mean your organization is safe, nor does it mean that your organization is immune to repercussions at the hands of a data breach. In an article on CSO Online, Compliant does not equal protection: our false sense of security, I discuss the nuances of regulatory compliance and how, while important in driving protection standards, they could lead to complacency in setting security standards.
Having regulatory compliance laws in place helps hold organizations accountable and clearly places the onus on organizations to protect the sensitive data they store. With strict regulatory standards under HIPAA, one would assume then that healthcare organizations would be the most secure, but we know this to be untrue. Despite the standards of HIPAA, or the ever-expanding laws and regulators stepping up to set security standards and stricter requirements, there is a difference between compliance and protection that leaves organizations open to risk as well as costly repercussions.
In the article, I talk about how fulfilling regulatory checklists may vindicate you from government oversight and fines, but your organization may still be subject to other recourse including business disruption, lawsuits, reputation damage, or public outrage. Compliant or non-compliant, these are all potential consequences of a data breach.
Aside from unexpected repercussions, there is the danger that organizations that see themselves as “compliant” will be complacent in their security planning. Though compliance requirements offer a good set of basic requirements, they in no way protect an organization from the unique risks they each face. Understanding the difference between compliance and protection will ensure that compliance is not the end-goal and organizations must extend how they protect themselves beyond these basic requirements.
Of course, regulatory compliance is an important practice and failure to comply can result in significant consequences. We’ve seen numerous cases where this form of corporate negligence has directly resulted in a data breach, such as we saw with the Anthem case earlier this year. Compliance offers a baseline standard that we all need to have in place, but one-size-fits-all standards should not be treated as comprehensive guidelines.
It’s critical that organizations regain control over their data. From proactive monitoring and reporting, to detection and response procedures, deploying a layered approach to security that extends beyond “good-enough” protection is the most effective strategy to keep sensitive information private and ultimately avoid legal and financial recourse. Learn more about how Absolute can provide the adaptive endpoint security your organization needs to always stay in control of devices and the data they contain.