Five Steps to Make Compliance a Breeze

Many organizations are required to regularly educate employees about security responsibilities and best practices to meet compliance requirements, including PCI-DSS, HIPAA, NIST, and more. With well-rounded security awareness and application security training programs, your teams will better understand their roles and responsibilities around maintaining compliance for your company. Here are five steps you can take to ensure that meeting your compliance goals are easily achievable.

1. Don't Fight Compliance, Embrace It
Compliance often feels like a chore, but compliance mandates are rooted in admirable principles - when it comes to security, compliance standards ensure data is handled, stored, and destroyed in a secure manner, which has a positive impact on the reputation, integrity, and profitability of an organization. HIPAA compliance works to ensure that some of our most private data - medical data - is kept secure from attack and exploitation. As the 10th Edition of the Verizon Data Breach Investigations Report outlines, in 2017 the healthcare industry saw 458 incidents, 296 with confirmed data disclosure, with Privilege Misuse, Miscellaneous Errors and Physical Theft and Loss representing 80% of breaches within that industry. Data by type that was compromised is as follows: 69% Medical, 33% Personal, 4% Payment. ^[1] The majority of the data compromise came from misdelivery, disposal error, and loss, meaning that with the proper compliance training many of these breaches could have been completely prevented. Security training mandated by compliance teaches practical skills and is a good investment in the security posture of your entire company. Let everyone in your organization know the benefit of training beyond simply "checking the box" on compliance.

2. Make a Plan
Compliance deadlines have a way of creeping up on us. Oftentimes it feels like a mad dash to complete all the necessary training and activities. With the EU's move to requiring compliance with the General Data Protection Regulation (GDPR) as of May 25, 2018, studies abound with shocking statistics of the lack of preparedness of organizations around the world. One such study conducted by TrustArc of 204 individuals from companies subject to the GDPR found that from among their respondents, 61 percent had not even started the process of GDPR implementation, and only 11 percent had implementation underway. ^[2] Even though they are halfway through the compliance notification period, more than half of these companies haven't even begun their compliance process. In spite of all the competing demands on a company's time, making time for compliance initiatives is an investment of the overall security posture of the business and a safeguard against attack and fines and remediation for non-compliance. Work backward to roll out compliance training in a steady cadence over a defined period of time with enough buffer to meet the compliance deadline. This will give employees enough time to really learn the security concepts and put them into practice well ahead of looming deadlines and snooping auditors. If you communicate early and often with employees throughout the compliance process, everyone should be well aware of their role in achieving organization-wide compliance.

3. Compliance Is Everyone's Job
No matter your role at an organization, compliance applies to everyone in some way. Unfortunately, a recent Ponemon report sponsored by Experian Data Breach Resolution found that compliance does not always receive the executive support it needs. Citing the study, "...only 30 percent said their organization's C-suite was fully aware of the company's compliance status. Further, just 38 percent said their executives viewed global data regulations as a top priority." ^[3] By tying compliance objectives to overall corporate goals and key performance objectives, everyone can keep compliance top of mind and understand the role of compliance in the context of their overall job responsibilities. Executive buy-in and support of achieving compliance goals goes a long way in setting the proper expectations across an organization.

4. Distill Larger Mandates Into Actionable, Targeted Directives
When it comes to compliance mandates, different aspects apply to different employees. The ability to distill and focus larger mandates into more digestible directives for each group helps keep everyone on track to compliance. For instance, in a retail environment where PCI Compliance is required, employees working at a cash register will have to understand different data handling concepts than those employees on the development team creating the company's mobile applications. Take some time to create targeted messaging for each different group within your organization based on their role in the compliance process.

Sources: 

[1] http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

[2] https://iapp.org/news/a/survey-61-percent-of-companies-have-not-started-gdpr-implementation/

[3] http://www.experian.com/blogs/data-breach/2017/06/27/survey-companies-ill-prepared-global-data-breach/