Compliance is not a guarantee against data breaches. These are the results of the Advisera survey carried out with 605 respondents, coming from countries on five continents, from various industries, mostly from smaller and medium-size companies, and acting predominantly in IT and security positions.
Security and compliance are tightly related
Nearly 85% of respondents consider security and compliance to be highly related and feel that they need to be implemented together.
“This perception of respondents can be supported by the fact that most security managers take into account laws, regulations, and other legal requirements (e.g., contracts and service agreements) when implementing security,” said Dejan Kosutic, CEO at Advisera.
Satisfying auditors/third parties
Surprisingly, there are a few activities that seem to be less common for both compliance and information security. These include satisfying the auditors/third parties, using a framework for setting up a system, monitoring suppliers, setting KPIs and measuring their achievement, and reporting to the top management.
Advisera’s information security expert Rhand Leal said: “By not using a common framework for both security and compliance, an organization may have redundancy on common activities (e.g., identification of requirements, measurement, and management review), which leads to inefficiency, using more resources and effort than necessary.
“For example, by not considering both security and compliance requirements that satisfy auditors and third parties (e.g., customers and regulators), an organization may finish with many more KPIs than necessary, instead of using fewer KPIs that are useful for both issues.
“Additionally, by performing joint monitoring of suppliers, as well as joint reporting to management, an organization can provide to top management a wider view of compliance and security, allowing for the identification of situations that could be missed if seen separately, and improving the overall effectiveness of information security and compliance.”
The cause of data breaches
Employees who have not been properly trained are considered by respondents to be the main cause of data breaches, followed by a lack of security processes and technical safeguards. Failure to comply with security laws and regulations is seen as the least frequent cause of data breaches.
“Social engineering and exploitation of technical vulnerabilities are among the main weapons used by attackers to compromise an organization’s data, and their chance of success is increased by the lack of training (not only of common users, but also of technical staff), and also by not adopting robust processes and technologies.
“Regarding laws and regulations, because in most cases they cannot cover all possible situations, simply fulfilling their requirements is not a guarantee that an organization will be safe, so organizations should also rely on risk management approaches,” concluded Kosutic.