As we have mentioned time and time again, cybersecurity threats are consistently on the rise. That puts security concerns at the top of the priority list of for business executives and IT departments. And with each new wave of breach incidents, lawmakers and regulators are exploring ways to create new compliance requirements, or enhance existing ones.
So while regulations might hold organizations accountable to protect the sensitive data they store, does compliance equal security? Not necessarily.
To be sure, following regulatory guidelines can easily give the illusion of security. Such guidelines may help reduce risk, but they do not provide sufficient protection from targeted attacks. A new study shows data breaches rising in organizations certified as compliant. The “2016 Vormetric Data Threat Report” polled 1,100 senior IT security executives at large enterprises worldwide, and found that most IT security strategies are focused on perimeter defenses that consistently fail to halt data breaches, despite maintaining regulatory compliance. And that’s not all it revealed:
- 61% of respondents say they experienced a data breach in the past, but only 21% cite past data breaches as a reason for taking data security measures.
- 91% of organizations worldwide feel vulnerable to data threats, whether internal or external.
- 39% of respondents say their organization has experienced a data breach or failed a compliance audit. [Please note: This is a self-reported survey. This number is wildly lower than previous polls, and we believe should be viewed with skepticism.
“Being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen,” said Garrett Bekker, senior analyst of Enterprise Security at 451 Research. “But organizations don’t seem to have gotten the message, with nearly two-thirds (64%) rating compliance as very or extremely effective at stopping data breaches.”
Fulfilling regulatory compliance requirements may exonerate you from government-issued oversight and fines, but it does not exempt you from other recourse including loss of business, lawsuits, or reputation damage. Compliant or not, these are all potential consequences of a data breach. It’s important to remember that being compliant does not mean your organization is safe, nor does it mean that your organization is immune to the consequences a data breach.
Improving information security is a process—most important, a holistic process—that supersedes checking off any unchecked boxes on your regulatory to-do list.
Image Source: Vormetric