Why Industry Compliance Is Not Enough

This post was originally published here.

Growing awareness of information security is affecting the entire IT landscape today. By 2020, it’s estimated that the average cost of data breaches will be in excess of $150 million. Due to the increasing attacks targeting businesses, more and more companies are lining up to invest heavily in information security. Much of the drive behind this investment is compliance. Security standards implemented in many industries require businesses in that sector to conform with a specific set of requirements.

The need for compliance is a great driving force indeed, but it is not to be mistaken for the sole objective of investing in security. Simply aiming for compliance is not enough; far from it, actually. There are several reasons why compliance is not enough, and we are going to review them in this article.

The Lagging Regulations

Compliance is based on regulations which govern specific industries, for example, Ibexlabs support many healthcare organizations whose cloud infrastructure and software must conform to. Unfortunately, making changes to the governing regulation is never an easy process. This leads to the security standards required for compliance becoming insufficient, and there is a simple reason for that.

The attacks targeting businesses and individuals are constantly adapting and evolving to new challenges and better security measures. In fact, they are adapting at an incredible rate; a rate that cannot necessarily be matched by changes in standards and regulations.

When you aim only for compliance, you are following ‘outdated’ standards that are not always capable of protecting sensitive information from the newer challenges. This means leaving the majority of your infrastructure exposed to bigger risks.

Lack of Involvement

Compliance also seldom touches an important element in information security: the people. Sure, training and security policies are part of complying with information security standards, but they are certainly not enough if the goal is creating a secure IT infrastructure.

A more comprehensive set of policies are needed to really protect sensitive information from within. Access management and monitoring, including detailed access logging, are also essential in preventing data breaches caused by human error or deliberate acts.

Speaking of human error, there is also the need for regular training, reminders, and blanket understanding of information security best practices. Every part of the organization needs to assume a more active role in protecting information crucial to the organization and its stakeholders.

Infrequent Reviews

Sticking with these evolving challenges, there is also the fact that most compliance standards only come with annual or bi-annual security reviews. What usually happens is sudden changes and adjustments being made prior to the comprehensive review process, all for the sake of complying with the security standards.

Information security is no longer a one-time thing. It is a continuous process that involves constant monitoring and evaluation. This is where tools such as Amazon GuardDuty – a tool for active threat monitoring in the Amazon Web Services environment – becomes very important.

If your IT infrastructure relies on the Amazon cloud platform, you actually have more tools to use. AWS also comes with Inspector and the AWS Artifact, both of which are crucial tools for security assessments.

Combined with existing features like AWS IAM and CloudHSM, maintaining maximum information security becomes a continuous process that is inseparable from your operational workflow. This is how the highest security compliance standards are surpassed.

A More Proactive Stance

It is also important to note that information security is not only about protecting yourself from attacks. It is actually more about preventing attacks from ever affecting your IT ecosystem, which is not a primary objective for many security compliance standards.

Referring back to the tools mentioned earlier, many of the Amazon cloud security features are designed for better early detection and prevention of data breach. GuardDuty is very comprehensive on its own. It analyzes activities at an incredible speed and immediately detects potential threats.

The tool will then display those threats on your intelligence feed. You can clearly see malicious IP addresses and sources of bad requests, including requests that come from your own EC2 instances. This means GuardDuty can perform a comprehensive check of existing ecosystems as soon as it is activated.

Compliance Only Helps You Achieve The Bare Minimum

Last but certainly not least, there is also the fact that compliance standards are designed to be inclusive. The industry needs many — if not all — of its players to have the ability to comply with the security standards without having to make big changes. Most compliance standards are only designed to be the bare minimum rather than a comprehensive set of requirements.

Think of security compliance as setting a password. Yes, it’s possible to use 12345678 as a password because one is required (though who does that nowadays?), but the password is far from secure. Adding a password is a start; the next step is changing the password so that it is more difficult to guess. To complete the set, you make sure the password is protected and isn’t shared with anyone.

Taking additional steps and exceeding the bare minimum is a must. When you consider the complexity of today’s cyber attacks, simply complying with the security standards is not enough.

For more on conforming to healthcare industry standards, check out our article Technical Safeguards for HIPAA Compliance.