We are now faced with so many different regulations and complex compliance standards that have to be respected. Data breaches are more common than ever, with statistics showing losses of hundreds of billions of dollars in the US alone. Just in 2017 we had 1 billion account records that were stolen during data breaches. Nowadays, the work of the compliance and security staff is more complicated than ever.
The huge problem, according to James Scott ICIT, is that many do not actually know anything about IT security. Various myths appeared about both cyber security and compliance. Due to them we see most people these days being apathetic and cynical. The truth is that we do not know what security problems will appear in the future. However, we do know that the following myths are incorrect.
PCI DSS Is Just Needed For The Larger Companies
PCI DSS stands for Payment Credit Industry Data Security Standards. The belief is that these standards are only needed for large firms but the truth is that they are needed for absolutely all businesses. Data stands out as being really valuable for the thieves and hackers usually get access because there is a lack of added protection. Not being compliant with PCI DSS will result in huge penalties for companies, small or large.
Firewalls Are Needed To Be Compliant
There are some compliance regulations that do state an organization needs to perform monitoring and access control. In different cases the word “perimeter” is used to assess the use of control devices or firewalls. However, this does not actually mean that a firewall or NIDS is necessary everywhere.
Monitoring and access control are possible with the use of various technologies. You can obviously use NIDS or firewall solutions when trying to meet compliance requirements but there are many other options that can be taken into account.
Compliance Is Only Related To Access Control And Rules
Network security and compliance are not just about creating some rules that have to be respected. In order to provide true security, there is a need to go through ongoing real-time assessment of all that happens. Those that just respect the rules and the policies can be vulnerable to numerous security and compliance failures.
What is always really important in IT security is to have a log and analyze everything that happens in real-time. Compliance will only come after establishing access control and an ongoing analysis system. This is what is necessary to validate compliance and security measures.
Compliance Becomes Relevant Only During Audits
We should understand that networks keep evolving. This is actually the biggest challenge to network compliance and security. Evolution does not wait for businesses to catch up. Network mutations keep increasing and compliance standards change much more often than what many believe. Using the latest technology right now does not actually guarantee that in a few months we will not be faced with vulnerabilities. Auditors appreciate tightening network access and controls but compliance is much more than just pleasing auditors.