Any organization that functions under the guidelines and requirements of an industry that requires ‘compliance’, is aware of the challenges that must be met and the ‘hoops’ that must be jumped through for accommodation. Beyond just the intense proof that your system and data is being stored in the required secure method, there are often intense processes that must be met for continual auditing. But even with all of these protocols in place and the vast amount of experienced professionals required to reinforce the process, circumstances still exist that can wreak havoc and demonstrate that you are not as secure as you might think.
For example: Whenever there is human intervention, there is a possibility for error. In the world of compliance, whether FERC, NERC, HIPAA or other government regulated scenarios, people are usually the main reason for lowered system security. You might ask how such well-planned and executed systems could possibly allow something as simple as human intervention to cause such problems. The answer goes beyond just the lack of keeping security software updated and enters into the realm of negligence.
A BakerHoestler Privacy and Data Protection Team study was released on the number of data security incidents in 2014. The report showed that 36% of the situations were a direct result of negligence by employees and identifying the situations took an average time lapse of 134 days from the occurrence. These situations resulted in the leak of proprietary information regarding patient medical data and resulted in a variety of scenarios from notification to litigation.
While cloud storage remains the most secure method of storing information, much of this data is shared with API situations and not all ‘partner vendors’ may be secure. From email malware to human error input by selecting the wrong ‘field’ to upload, the methods of exposing both the security of a system as well as the data itself crosses a broad spectrum of opportunities.
The complicated world of compliance requires a focus on trying to ensure that the data and information itself is maintained in a strict environment, but often forgoes the small ways that a breach can actually occur. Such situations as employee training to avoid methods of intrusion, as well as recognition and actions when a system breach occurs, can not only allow a break in the security but create a situation where lack of discovery creates a bigger situation.
Remote access to information, even on those systems that have focused on their security has opened the doors to potential security hazards. It’s not enough to simply have a high-level password and encryption, but also requires the validation of the technology devices themselves. Cybercriminals are aware of these tactics and take every advantage with sophisticated viruses and programs designed to infiltrate.
Strict compliance standards have typically not included the focus on potential breaches due to human error. They have been established to concentrate on the methodology of storage and transmission, but not in the small ways that people can affect those processes. All organizations that are involved in a line of business that has serious compliance requirements must add this element into their security practices.