12th May 2014
By Richard Hibbert, CEO, SureCloud
According to a report from Risk Based Security and the Open Security Foundation there were no fewer than 2,164 incidents of data loss during last year. Of those, 72% involved external attackers while 25% were classified as internal incidents, although the latter were attributed mainly to human error and accidents rather than malicious intent.
One of the biggest data breach stories of 2013 was at US retailer Target where the personal data of around 110 million customers was reported to have been leaked. It is not clear whether Target was in compliance with PCI DSS at the time it was breached but statistically the chances are that it was not. According to Verizon’s 2014 PCI Compliance Report only 11.1% of businesses were fully compliant in 2013.
It is important to consider that compliance with standards, such as the PCI DSS, are based on a single annual audit. As such, it is understandable that organisations may be found to be non-compliant at the time of a data breach; even after ‘passing’ an annual audit for that same period. This is because the annual assessment represents a moment in time, an accurate verdict made at a single point during a twelve month period. It is not a guarantee of compliance for the following day let alone for any enduring length of time. There is plenty of evidence to show that many data breaches do occur sometime after a successful PCI DSS audit.
The important thing to remember with PCI DSS is that while there is nothing wrong with it, it should be considered as a subset of controls for a broader information security programme, based on regular control assessments. The fact remains that any security programme based on annual assessments is no substitute for solid business-as-usual (BAU) security practices.
For reasons of cost and complexity, many off-the-shelf compliance solutions on the market today have yet to prove themselves from an ROI point of view. Firms have chosen instead to meet their compliance obligations by developing their own home-grown methods – often involving spreadsheets to collect information about the status of controls and track the progress of the programme – to manage compliance programmes such as PCI DSS.
The spreadsheet for all its versatility is simply part of a largely manual process. In a large-scale compliance audit the spreadsheets cut across all kinds of internal programmes and departments – HR, Finance and IT for example. It is almost impossible to gauge the overall status of a large-scale compliance programme without lengthy and painstaking analysis of hundreds of completed responses. Skilled compliance and risk personnel end up being burdened with manual process administration and are given insufficient insight into trends and anomalies to support business decisions.
This absence of automation in a spreadsheet-based approach is its Achilles heel. A lack of shared obligation or team effort places all of the responsibility for delivering results with the compliance officer or equivalent. At the same time spreadsheet recipients are told they have to complete them but may not fully understand the significance or consequences. Meanwhile as far as their managers are concerned it’s just another job that has to be done. There is no central visibility of your compliance status and very little control over the compliance process. In short you end up with something that is little better than an exercise in the pursuit of compliance for compliance’s sake instead of focusing on making security the first priority.
In practice neither off-the-shelf nor home-grown systems are capable of meeting what organisations need most – namely an easy to use system with an intelligent reporting capability, which allows them to make informed decisions about risk levels and quickly determine which areas to prioritise in order to manage them. With data breaches frequently being reported, it highlights that organisations in the 21st century need something better than spreadsheets to manage their security processes.
In our experience organisations find standards such as PCI DSS much easier to comply with if all stakeholders are able to collaborate in a centralised control-oriented process. One of the most effective ways to improve the management of compliance initiatives is to lift each process entirely into the Cloud. This has the immediate benefit of helping organisations to automate the auditing process. It also gives them an easy way to devolve responsibility for updating control status and activities to those most qualified to provide the answers and corroborating evidence. This eliminates any need for lengthy spreadsheet-based programmes and frees up highly skilled compliance and risk personnel from time-consuming administration.
As the regulatory landscape evolves, for example tougher new EU data protection laws are scheduled to come into effect over the next year or two, organisations need to reassess their approach to compliance. These new regulations will result in non-compliant firms being fined €100m or up to five per cent of global turnover – whichever is the higher. The ability to bridge the intelligence gap between off-the-shelf and home-grown compliance systems is a game changer. By giving organisations immediate visibility of the status and greater overall control over their compliance programmes it helps them meet their current compliance demands and makes responding to future changes so much easier. Having a control-centric process that embeds demonstrable working controls into the daily routine keeps it separate from the regulatory standard and makes continuous compliance part of everyday best practice.
In summary, SureCloud advocates a continuous business-as-usual (BAU) approach to information security where the primary focus is to improve the security of an organisation’s information, applications and technology, rather than merely satisfy a “tick box” compliance exercise. A continuous approach to compliance puts controls at the centre of the compliance programme (as opposed to relying on an annual audit) where control activity is performed and monitored throughout the calendar year. This approach provides real-time visibility of the organisation’s compliance status – the net effect being more merchants incorporating PCI DSS compliance into their BAU practices and importantly improving the organisation’s security posture.