It’s time to start thinking holistically about compliance

July 28, 20174 Minute Read

Select article text below to share directly to Twitter!

Dismiss

“Compliance” may as well be a four-letter word for some enterprises. It’s a huge task that can feel daunting and never-ending. But it’s necessary—business leaders have to tackle it. They can’t afford not to.

Companies risk losing consumers’ trust, paying exorbitant fines, and losing valuable business if they’re not actively working to stay in compliance. (Need I mention the disastrous 2013 Target breach?) And ignoring compliance standards makes it easier for nefarious actors to break into your business.

The cost of not following business standards

Just like in everyday life, some companies will get away with breaking the rules. But for those who do get caught—whether or not it’s their own fault—the ramifications can be significant.

Consider the Payment Card Industry (PCI). Many people think it’s industry assurance (making sure that operations maintain standards set by authorities to serve as industry best practices), but it’s actually regulatory. In the event of a significant compliance violation, there can be steep fines—and those fines aren’t just coming from regulators. They’re coming from the card issuers and the banks, as well.

Compliance violations detected at publicly held companies can lead to data security practice investigations from the Securities and Exchange Commission, the Federal Trade Commission, and (in the United States) the US Attorney’s office—think Target, TJ Maxx, and Home Depot. The investigating agencies and penalties vary by country, but globally, there are always consequences.

Compliance requires diligence

Compliance regulations are generally high level. The National Institute of Standards and Technology (NIST) and the European Union’s incoming General Data Protection Regulation (GDPR) both talk specifically about securing endpoints that touch the network. And most companies do that. But they look at the “traditional” things they’ve worried about, like smartphones and desktop computers—not every single device that’s on the network. The cold, hard truth is that anything on the network transmitting, processing, storing, or transferring data has to be monitored and protected. And yes, that includes printers.

From a cybersecurity standpoint, we are at war—and proactive, ongoing compliance gives security professionals a strong defense. If you do not have—or if you’re not following—incident response or management plans, your organization stands to lose more if something goes wrong.

For instance, let’s say an incident meets the threshold for notification and disclosure, and the FBI gets involved. When the FBI asks for evidence, your data security practices—or lack thereof—will be exposed. This liability could lead to lawsuits on top of fines and loss of business. Even if you say your organization is following regulations, if you can’t prove it, then it is not so.

That’s why standards only get you so far. It’s the execution and effective due diligence that include defense in layers that will determine how well your company’s data is protected.

Two steps to securing your endpoints

Endpoint security is sometimes overlooked because of cost and perception. Many companies just don’t invest at the level they should—and at the same time, devices have evolved.

Take printers as an example. Ten years ago, they were seen as “dumb” devices that hooked up to your computer. But over time, we’ve built in so much intelligence that we have to look at them differently. Yet a lot of CISOs still regard printers as those same dumb devices that don’t warrant prioritization when it comes to securing the network. That’s a risky way of thinking. If it touches the network, it needs to have security and compliance standards. Period.

1. Know what’s on your network.

You can’t control what you don’t know. When we ask CIOs how many printers they have, many admit they don’t have a clue. So, how can they secure and control them?

The fact that there’s an obligation to monitor printers regularly gets left out of the equation. But understanding your environment is part of compliance. Know where all your endpoints are. Know where all your third parties enter your environment. Otherwise, you’re risking your network’s exposure.

2. Manage all devices—and their access.

Make certain all devices are locked down, the right policies are applied, and the right controls are applied to them. That includes authentication and access controls. HP printers have some features to facilitate that. A new HP printer joining the network has software that sends out a message that announces, “Here I am.” HP Central Managed Services will pick up on that and automatically apply the company policies to the device. Nobody has to physically go to the printer and manually configure and set it up.

On the people side, ensure that employees only have access to the information needed to carry out their roles and responsibilities. And if their positions change, then change their access accordingly.

The real cost of breaking the rules

If you don’t have the proper policies, standards, specifications, processes, and procedures in place for consistent execution, you leave your organization vulnerable.

Adhering to compliance standards requires thinking outside the box. Consider not only traditional endpoints, but also every way in which your employees and your vendors could interact with your organization and associated assets, including your network. Operate according to the laws of the countries where your offices are located and where you conduct business. And, most of all, don’t ignore intelligent endpoints—such as printers—and the risks they present.

  • Recommended for you
  • Recommended for You