Majority of Organizations Have False Sense of Data Security by David Weldon.
From the post:
A majority of organizations equate IT security compliance with actual strong defense, and are thereby leaving their data at risk to cyber incidents through a false sense of security.
That is the conclusion of the 2016 Vormetric Data Threat Report, released today by analyst firm 451 Resarch and Vormetric, a leader in enterprise data security.
The fourth annual report, which polled 1,100 senior IT security executives at large enterprises worldwide, details thee rates of data breach and compliance failures, perceptions of threats to data, data security stances and IT security spending plans. The study looked at physical, virtual, big data and cloud environments.
The bad news: 91 percent of organizations are vulnerable to data threats by not taking IT security measures beyond what is required by industry standards or government regulation.
…
Compliance occurs 44 time in the report, the third and fourth times in:
We’re also seeing encouraging signs that data security is moving beyond serving as merely a compliance checkbox. Though compliance remains a top reason for both securing sensitive data and spending on data security products and services, implementing security best practices posted the largest gain across all regions.
Why would a compliance be the top reason for data security measures?
I consulted Compliance Week, a leading compliance zine that featured on its enforcement blog: Court: Compliance Officers Must Ensure Compliance With AML Laws by Jaclyn Jaeger.
Here’s the lead paragraph from that story:
A federal district court this month upheld a $1 million fine imposed against the former chief compliance officer for MoneyGram International, finding that individual officers, including chief compliance officers, of financial institutions may be held responsible for ensuring compliance with the anti-money laundering provisions of the Bank Secrecy Act.
…
A $1 million dollar fine is an incentive in favor of compliance.
A very large incentive.
Let’s compare the incentives for compliance versus cybersecurity:
Non-Compliance | $1 million |
Data Breach | $0.00 |
I selected the first compliance penalty I saw and such penalties run and entire range, some higher and some lower. The crucial point is that non-compliance carried penalties. Substantial ones in some cases.
Compare the iPhone “cookie theft bug” that took 18 months to fix, penalty imposed on vendor, $0.00.
Cybersecurity proposals without a stick are a waste of storage and more importantly, your time.