Compliance vs. Security - What
By Steven Freidkin on Jul 25, 2019

Compliance vs. Security - What's The Difference? (2020)

As we continue to see crippling data breaches, new regulations like GDPR and California's Consumer Privacy Act will only become more common. But is maintaining compliance to current regulatory laws enough to protect your business from sophisticated cyber security attacks?

The Importance of Regulatory Compliance 

Today, highly regulated industries such as financial services, healthcare, energy, utilities and many others must adhere to strict regulatory standards.

The list of regulatory compliance laws is long, including a soup of acronyms such as HIPAA, PCI DSS, FISMA, SOX - and those are just the ones that most people have heard of.

And it's not unusual for companies to have to comply to multiple regulations at once, making it even more of a struggle to stay compliant. 

Of course it's critically important to comply to regulatory requirements. Businesses need to follow the state, federal, and international laws and regulations that are relevant to their operations. Failure to comply will open you up to potential lawsuits and financial liability, not to mention broken trust with clients, partners and others.

However, it's expensive, complex and requires the right expertise just to stay on top of existing standards, let alone embrace new ones.

The result is that companies often focus on meeting the minimum requirements instead of implementing proper cyber security polices, which in today's environment where our attackers are always one step ahead of our defenses, is not a good thing.

And it doesn't help that the regulation outlines are publicly available, often providing hackers with a good deal of the information they need to figure out how to break through!


Regulatory compliance managed IT


What's The Difference Between Compliance and Security?

Compliance is NOT security!

There are many examples of companies being breached despite regulatory compliance.

Even though almost every large financial institution is PCI DSS (Payment Card Industry Data Security Standard) compliant, many have still been breached, including the much publicized Equifax hack in 2017.

You can add in Target, Michaels, Neiman-Marcus...the list goes on of organizations that DID meet compliance requirements but were still hacked.

Hundreds of U.S. utility companies, who spent tons of time and money on meeting compliance requirements, failed to prevent hackers from accessing their control rooms. 

They were penetrated by hackers sending spear-phishing emails and tricking vendors and suppliers into giving up their passwords, which in turn gave them access to valuable information.

The bottom line is: compliance is NOT security.

You need to start thinking of compliance as a snapshot of how your security program meets a specific set of security requirements  - and not a strategic plan that will cover all of your security needs.


Is Compliance or Security More Important?

Both are equally important.

Although compliance is a critical component of any security program, new vulnerabilities and threats keep emerging which can only be managed through constantly updating your cyber security practices - that may go far beyond what your industry regulations are asking for.

This means that compliant or not, organizations need to take a more holistic look at their information security, and implement the proper security necessary to protect their business.

To truly protect sensitive data, having the proper security program in place AND being compliant are critical. 

But cyber security can be a complex beast - many organizations end up outsourcing some or all of their cyber security needs to a Managed Security Service Provider (MSSP) who can provide 24x7 cyber security protection.

To help get you started on your cyber security journey, here are the top six things you should be doing to protect your organization from security attacks.

Regulatory Compliance IT Security


Security Checklist - Top Six Recommendations

1. Start with the core. 

Is your infrastructure serving you well, or are you still supporting outdated, potentially insecure systems to avoid disruption and perceived cost.

Those who have been in business a long time tend to have bolted on a range of one-time fixes they found in some compliance software, often carrying an unnecessary burden of IT operating costs needed to maintain outdated systems and old code.

This means you’re missing out on newer and potentially more secure technologies that could cost much less, which are typically cloud-based solutions.

2. Do a security audit. 

Many organizations have been addressing information security for decades, but recent events show that traditional approaches are no longer good enough. Information security risks have evolved dramatically, and most institutions have not kept pace.

A thorough security audit and separate compliance audit needs to be performed at least once a year.

3. Automate your updates.

We can't stress enough the importance of keeping your computers and servers up to date with the latest software and patches.

Don't leave this to a human being with a spreadsheet and a manual process - it needs to be automated, along with your network monitoring.

The risks of outdated software is huge (just ask the IRS.)

4. Encrypt sensitive data.

Whether accidental or malicious, exposure of sensitive data is an organization's worst nightmare.

While perimeter maintenance can protect against many threats, it can't prevent against all. 

To be truly safe, you should encrypt the data itself, both “in motion” (think email, downloading documents, etc.) and “at rest” (think file servers, endpoint devices and even the cloud.)

There are many data encryption solutions on the market today, and a qualified IT consulting service should be able to help you sort through the options. Don't risk your clients' personal information!

5. Educate your employees.

The biggest cyber security threats are actually right inside your organization. It's estimated that more than 60% of breaches are caused by employees, typically from phishing attacks

Providing on going phishing prevention training to employees can help reduce this statistic dramatically.

6. Don't forget Backup and Data Recovery.

Successful backup and data recovery (BDR) is now a must for every single business, large or small. 

It starts with documenting a data retention policy, which records your established protocol for retaining information. This includes how to organize information so it can be searched and accessed at a later date, and how (and when) to dispose of information that is no longer needed. 

Older technologies are no longer enough – do you know the difference between file-based backup and image-based backup?  

Are you aware of how often your current BDR solution is being tested? This is one area of risk management you can’t afford to ignore!

As a next step, we encourage you to take a read of our "Essential Cyber Security Toolkit" which will provide additional information, and of course reach out to us if you have any questions!


The Essential Cybersecurity Toolkit E-Book Download Call to Action