Industry experts discuss what new regulations concerning data and technology mean for organizations and what IT can do to mitigate security and compliance issues, both old and new.
“Remaining compliant with data has always been a concern for organizations, and a headache for IT,” states Doug Bordonaro, chief data evangelist at ThoughtSpot, a business intelligence and data analytics provider. “While that remains true in today’s world, the underlying drivers have changed.
“Previously, most compliance initiatives were driven by national legislation like HIPAA and SOX and rooted in security concerns around hardware and software,” he explains. “Today, however, enterprises must manage, govern and ensure compliance for the overwhelming amount of data they produce, especially in the face of global legislation like GDPR, rather than national regulations.”
So what are the biggest compliance-related issues that organizations face today? CIO.com surveyed dozens of IT, compliance and security experts to get their take. Following are the top five they cited, as well as suggestions regarding what IT leaders can and should do to ensure their organizations comply with industry and government regulations.
“Personal mobile devices [e.g., smartphones and tablets] … create security vulnerabilities,” says Lisa Hawke, vice president of security and compliance at Everlaw, a provider of e-discovery software. But organizations “can mitigate this issue through a strong bring-your-own-device policy backed up by technical controls. Mobile device management protocols, such as Google Mobile Device Management or Trend Micro, are key to oversight in this area because they provide the ability to remotely remove access to selected accounts or wipe a device.”
Furthermore, managers can prevent critical data from being “compromised [lost or stolen] by enforcing device lock passwords, the longer the better,” she says. And they should “replace SMS with a time-based one-time password-based method, such as Google Authenticator.”
Software management (updates and patches)
Keeping up with software updates and patching existing software when vulnerabilities are detected is another major issue for IT organizations.
“In 2017, the number of third-party vulnerabilities discovered in commercial and open source software more than doubled, requiring CIOs to ensure that their software was patched in order not to expose their organization to unnecessary risks,” says Rami Sass, co-founder and CEO of WhiteSource Software, an open source security and license compliance management platform. “We all still remember the patching frenzy led by Meltdown and Spectre in late 2017.
“The Equifax breach is another great example of the importance of patching vulnerable third-party components since the root cause was an exploitation of an open source vulnerability in their web application,” he adds. “The vulnerability was published in March together with a patch, but Equifax failed to patch it and the hacker exploited that known vulnerability. In third-party vulnerabilities, we need to remember that the information is known to the entire public, so a quick response is crucial.”
The bottom line: IT managers need to ensure that their organizations are current with software updates and immediately patch any known vulnerabilities.
“Europe’s sweeping privacy regulation, the General Data Protection Regulation, goes into effect May 25, 2018, and it looks beyond data security at how an organization uses data and respects individual privacy,” says attorney Daniel L. Farris, chair of the technology group at the law firm Fox Rothschild LLP. “It is pervasive, impacting the entire enterprise, and [will require] active management/oversight of third party vendors.
“Companies that collect or process data about Europeans, offer goods or services in Europe, or even receive, store or process EU personal data for corporate customers will likely have to comply. [And] compliance means … enterprise-wide data mapping and a data inventory, generally only using personal data as permitted by individuals after consent/opt-in, managing vendors, regularly auditing or assessing privacy compliance programs and respecting an individual’s ‘right to be forgotten,’” he explains. “Non-compliance can cost a company up to 4 percent of global turnover [gross revenue].”
To help tackle GDPR, “begin documenting data processing and resulting risk, including any applicable rights of the data subject, if you have not already,” says Hawke. “GDPR Article 30 requires that every organization subject to the regulation must maintain a record of data processing activities.” However, there are free tools, such as this template provided by Everlaw, that can help guide organizations.
“A major vulnerability of many companies comes from Electronic Data Interchanges (EDI) and vendor system integration,” says Farris. “A 2017 report by Soha Systems indicated that as many as 63 percent of all reported data breaches originated directly or indirectly from third-party vendors. Some of the most well-known data breaches, from Target (HVAC) to Home Depot (POS software on handheld devices) to Philips (payroll processor), have originated as breaches at a third-party vendor. Managing not only vendor information security but also vendor compliance with privacy laws is a major undertaking and significant compliance challenge.”
“With the proliferation of the internet of things (IoT), there is explosive growth in the number of endpoints and interconnected devices,” says Farris. “To date, IoT security standards have lagged, creating a potentially huge number of new vulnerabilities in organizations’ networks. This digital-physical convergence is being seen across almost all industries, including financial services, retail, food and beverage, industrial, energy, oil/gas, automotive, transportation and utilities companies.
“Unlike some other threats to an organization’s network, IoT endpoint vulnerabilities could ultimately lead to more than financial or reputational harm, but actual physical harm to individuals,” Farris says.
“To make sure that IoT systems in the enterprise are fully compliant to security regulations, CIOs should schedule annual penetration testing,” says Boris Shiklo, CTO of ScienceSoft, an IT consulting company. “This activity [should be] performed frequently in case there are changes in an IoT architecture.”
Another option is “sandboxing IoT devices into a separate area of the network, limiting their — and by association, hackers’ — access to sensitive data and credentials,” says Ofer Amitai, CEO of Portnox, a provider of network security solutions.