July 18, 2016
Is Lack of Security Compliance a Hidden Time Bomb?
If you work in a regulated industry like health care, retail, or financial and B2B services, or if you have customers who are regulated, there might be a ticking time bomb hidden in your business that you didn’t know exists.
That bomb: Security Regulation Non-Compliance Business Risk
The reality is that most security compliance regulations apply to both regulated companies and their affiliate partners (suppliers, processors, partners, etc) — and this is something that many businesses overlook or neglect entirely. Security regulations are designed to enforce best practices security to protect your and your customer’s data. If you are not working toward that goal you may be setting your company up for big problems.
Why is that a problem? Companies that fail to proactively take the steps required to be compliant put their business at serious risk. Here are just a handful of the potentially negative effects of failing to comply with security regulation:
- Regulatory audits: These audits are a time-consuming process that often result in fines or loss of your ability to operate your business.
- Business partner audits and loss of business: Regulated business partners can audit your security compliance and can terminate business relationships if you lack key compliance level security controls.
- Data breaches and loss of private customer data: Data breaches cost organizations an average of $3.8 million in 2015, an increase of 23% since 2013. If a breach or loss of private customer data happens, your company might be required to publicly disclose the breach and its likely impact to customers or partners. Currently, 47 states have private data breach disclosure laws in addition to HIPAA, Merchant (PCI-DSS), and financial rules.
- Business continuity failure and business shutdown: Insecure environments are subject to potential business continuity failures. How long can your business survive without access to the internet, your VOIP phone system, or cloud applications? Business continuity is a key part of security regulations and has to be addressed in not just IT systems, but internet, security firewalls, backup, email security, etc.
So, what should companies do to make sure that they have an adequate level of security to comply with regulations, customer requirements or to protect their data or systems? Here are a few suggestions:
- Perform a third-party security risk assessment that’s customized to your company to define risks, vulnerabilities, security gaps, security strategy and recommended solutions.
- Implement recommended security controls to address your (and your customers’) requirements. These solutions need to be scaled to the size of your business and situation
- Implement a year-round security and risk management to assess, implement, maintain, monitor, and adjust security as required. All systems need to be actively managed.
Ultimately, if you work in a regulated industry or work with regulated customers, you should assume that your business is expected to adhere to specific security compliance regulations. Ignoring these requirements can put your company at unnecessary risk of costly data loss, fines, civil prosecution, and, potentially, loss of business — all of which are much costlier than the expense of maintaining compliance.