In the past two blog posts we looked at regulations, the history of hacking, and cybercrime today.
We found out that a) compliance is always a process and that many companies have been breached despite being compliant and b) the cybercrime environment is becoming more and more diverse, sophisticated, and complex, making it neigh impossible to completely eliminate the risk of being breached.
So what can we learn from all of this?
Compliance does NOT equal security
The rapid evolution and sophistication of hacking has led to the creation of complex regulations. These regulations try to set industry security standards as best as they can and while a lot of people are afraid of GDPR and PCI DSS, they are actually a good thing! They’re a step in the right direction.
On the other hand, these standards have also created a false sense of security.
Compliance follows Cybercrime – especially when it comes to targeted attacks. Hackers are quick to adapt their tactics and tools to always be one step ahead. They operate much faster than regulations can be written and implemented.
A lot of enterprises try to secure their systems – they try to secure devices, servers, and networks. However, security teams have a limited budget. Even if they had every method and measure at their disposal, an enterprise with thousands of endpoints and a complex infrastructure will never be 100% compliant and will never be 100% secure. And there is one main reason:
While most hackers aren’t wizards, neither is the average employee.
We are human – sometimes we make mistakes. Sometimes we get complacent. As a result, when you Google usernames and passwords - you can find tons of real credentials on the internet. In times of GDPR, that could cost real money. Unfortunately, these shortcomings can easily be exploited. And once they are – someone benefits – usually it’s the bad guys. We need to remember that people are not infallible.
So what does this mean for security and compliance teams?
Compliance and security are ongoing projects
Nothing new here. Looking back at the breaches over the last few years, we all know that both security and compliance require constant vigilance and careful architecture.
PCI DSS and GDPR are a great place to start but they must be considered as simply a baseline level of security. While both regulations cover the basic rules of data protection, an enterprise security architecture should be further enhanced to meet unique organizational culture and risk management objectives.
Knowing that it is not possible to be 100% compliant and 100% secure, there remains one big question:
What should take priority?
Essentially, there are two main types of attacks: it’s either sabotage or data theft, gaining access to sensitive information that is valuable to the attackers. While sabotage usually isn’t that bad and companies often recover pretty quickly, theft is something far more dangerous. It’s all about getting access to data.
What if data is rendered unreadable anywhere it is stored? What if you could still work with the data while keeping it protected?
Developing a data-centric security strategy is the key to answering these questions. Data-centric security enables organizations to be more proactive about keeping data secure and privacy protected.
The EU’s GDPR supports solutions like this and states that if stolen data is adequately protected, then there is no obligation to disclose the breach, since no actual sensitive data has been compromised. This means that in the event of a breach, personal data is kept safe and the affected company doesn’t have to worry about legal battles, fines, or settlements.
comforte already makes this possible through its patented data-centric security solution, SecurDPS.