Organizations are in a constant struggle to find the right balance between protecting customer and employee data, protecting privacy, and complying with regulations. Finding the right balance is something that organizations must figure out in order to remain competitive.
Customers expect companies they do business with to protect their data from breaches, they also don’t want their data collected if it doesn’t need to be, and they don’t want their data shared or sold without their knowledge or permission. Customers also expect organizations to comply with data privacy regulations like GDPR in Europe, or HIPAA in the US, which covers health-related data.
But simply complying with regulations isn’t enough because compliance only covers what’s on paper, not the day-to-day implementation of security policies and procedures. Compliance audits might occur every year or every 18 months, while new threats emerge all the time and companies need to stay ahead of the attackers.
In a recent survey by McKinsey, 87% of global respondents said they would not do business with a company if they had concerns about its security practices and 71% said they would stop doing business with a company if it gave away sensitive data without permission.
According to McKinsey, “Because the stakes are so high, the way companies handle consumer data and privacy can become a point of differentiation and even a source of competitive business advantage.”
How can companies increase security compliance?
Organizations need to constantly be on the lookout for new threats, whether those threats are coming from external sources or from insiders, whether those threats are percolating on the Dark Web or on social media channels, whether the targets are sensitive data or reputational attacks against executives.
By using open-source intelligence (OSINT) and data from Deep and Dark Web forums, organizations can search for hacker chatter, tools and methods being shared that could harm your organization. And by using a platform that integrates multiple OSINT tools, companies can automate the investigation of incidents.
OSINT toolsets also provide an audit trail to demonstrate to auditors that the organization is in compliance with regulations.
SOC2 compliance becomes de facto standard
One certification that is becoming the de facto global standard is called SOC (System and Organization Control), developed by the American Institute of CPAs (AICPA.) The standard provides a framework that allows service organizations to select and implement control measures for protecting data.
Examples of service organizations include software-as-a-service (SaaS) vendors, credit card processing platforms, cloud computing firms, Web hosters, data centers and colocation providers and managed security service providers.
SOC audits can be performed by independent CPAs or accounting firms and if an organization passes the audit, it can issue a compliance report that can be made available to regulators and business partners to demonstrate how the service organization manages its data.
The SOC standard doesn’t tell organizations what tools to buy or how to run their business, but it does set out five areas in which companies need to implement controls. These SOC2 principles can be applied to all organizations that want to secure assets: security, availability, confidentiality, processing integrity and privacy. (Media Sonar is in the process of becoming SOC2 compliant.)
The differences between compliance and security
SOC2 compliance is important but simply passing the test isn’t enough. A SOC2 report of a service organization’s internal controls is a review that takes the auditors between six months and a year to complete. Once the report is issued and the company is SOC2 certified, follow-up audits might be conducted annually.
But security threats are constantly evolving, Zero Day attacks are on the rise and adversaries are getting more sophisticated. At the same time, the organization is constantly changing. New applications are being launched in the cloud, employees are working from remote locations, new partnerships or relationships with third-party vendors are being created.
In other words, companies that pass a compliance audit shouldn’t become complacent. Effective security requires consistent attention, a flow of Web intelligence, and being constantly adaptive to the threat landscape.
Companies that pass a compliance audit shouldn’t become complacent.