Being Compliant isn't always Being Secure

I’m Compliant, so that means I’m Secure, right?

Unfortunately, no. Testing to a specific standard doesn’t guarantee that your information is secure. HIPAA, Sarbanes Oxley Act (SOX), and PCI/DSS (Payment Card Industry) compliance standards address completely different aspects of your network and information, but a gap in either can cause serious pain for any company. It is hard to find a company that doesn’t handle banking or other sensitive information on a regular basis in this era. Testing to a standard doesn’t always take into consideration the little things that we take for granted every day.

So, what is really at stake?

Everything! Depending on the compliance standard, you might be very good a securing the financial data, but not so great at segregating your network. Or, your team might be great at only sharing medical information with those they are supposed to, but don’t know much about password best practices or to keep clients away from a network switch. Do any of the compliance standards address whether your network can be accessed from the building’s common utility room? In the end those are points for a data breach to start from, and testing to a compliance doesn’t cover all of the known angles of attack.

You can be compliant and secure, it just requires an adjustment of focus.

Testing to the “Compliance Standard” is admirable and needed, but don’t stop there. Every little piece plays into the security of your organization and its data. Look at how easy it would be to socially engineer your way into your own office. Can you see the list of appointments and visitors as you walk up to the “Gatekeeper”? Most of these things are easy to remediate, and also easy to notice.

That which we consider “unimportant” may be what an attacker is looking for. They know that we ignore the mundane tasks of securing small, seemingly unimportant, devices and put our efforts toward the “glitter” of our high-level connections or services—the things that interface with or are our flagship product or service. It is pitiful how many devices come with pre-configured services set with standard default passwords, like Wi-Fi routers with SSH, FTP and Remote access enabled by default. Our new office firewall might be securely configured, but then someone puts a wireless router onto the network for Wi-Fi in the lobby or breakroom. Did that get the same consideration for security?

Your team doesn’t have to do it alone!

If you don’t want to be a victim of the mundane, but also don’t have time to go through it all yourself, we can help. Prescient Security has services and experts to find the points vulnerable to attack and train your employees to be aware of and prevent physical attack vectors. You don’t need the budget of a Fortune 500 company to be secure. The impact of a security incident can be much more detrimental to those businesses that are smaller. And if you do have to check a “Compliance” box, we can help.


Fabrice Mouret