Compliance: A Small Investment Upfront to Avoid Large Losses in the Future
There are three kinds of companies that exist in the world today. Those that have been breached, those that don’t know they’ve been breached and those that will be breached. While this may seem to be a rather pessimistic view of the business landscape, time and time again we’ve seen that no matter how secure companies appear to be on the surface, there is no way to be 100% secure from all internal and external threats.
This is why compliance polices & procedures are so important for organizations of any size to implement. Compliance, in the broadest sense, aims to mitigate the potential damage and the time to discovery that any existing or new unknown threat can cause a potential victim. It also allows those who are unfamiliar with the technical “nitty-gritty” of the risks, i.e. C-Suite, investors, shareholders, to be confident that no matter what situation arises, the organization has an effective plan and safeguards in place to catch and appropriately respond to any potential threat. Compliance has become more than just a nice to have, for many companies it is a full budget item that regularly needs to be reviewed.
While in the past compliance may have been a fairly easy task to accomplish, as the complexity of the threats has increased, so has the sophistication of counter measures needed to effectively combat them. With this has come added cost and time to implement, which has made many shy away from thinking they need a dedicated plan or team in place, especially with the rise of online businesses. After all, if you don’t have a physical server room to lock or filing cabinets to secure, what benefit is there to implementing a compliance policy?
Each organization has different needs and requirements. A large enterprise level company will almost certainly have a large IT department with dedicated cyber-security solutions and likely an entire department focused on compliance. Whereas a small 20 employee company probably doesn’t have the staffing or resources to have a person fully dedicated to always be focused on compliance. However, even in a small organization, made up of only a few employees, an effective compliance & security mindset should always be present and more importantly should permeate down from management to the employees below.
Even though compliance can seem like a bit of a chore to both managers and employees alike, it is critical that they all understand and buy into why compliance is important (beyond it being something that they are “supposed to do”). Written polices and procedures are good guides for explaining both why it is necessary for these restrictions to exist and exactly what is expected of everyone. They also allow you to determine how you will respond to a breach event or threat and helps ensure consistency through employee turnover. Updating these policies & procedures with lessons learned after an event happens is a great way to consistently add experience and eventually have a complete and robust security framework. You don’t need to have it all figured it out right away, but continual growth shows customers, board members and shareholders that you are serious about compliance and are prepared for whatever changes the future holds. The best time to plant a tree is 20 years ago, the second-best time is right now.
However, all the policies and procedures in the world don’t matter if no one is actually following them. A culture of intentional thoughtfulness and security should be of much greater importance than strictly checking off boxes on a spreadsheet. It is important for management to take a high-level view of security and compliance and not necessarily directly blame or punish employees for human mistakes. While disciplinary action could be called for, the more important action item should be to re-evaluate the system that was in place that allowed for a human mistake to occur or go on without being caught.
Beyond broad changes to employee mindsets and corporate culture, there are a few simple items that ALL companies should strongly consider implementing to meet the minimum security requirements to exist in the current digital landscape.
Enable Multi-Factor Authentication (MFA) on all accounts. You know that annoying thing that makes you take your phone out of your pocket, wait for a text message to appear then type the random code it gives you into your login window. While a lot of people may get exasperated by need to do this regularly, it has been shown to be one of the most effective and easiest ways to improve security with your account being 99.9% less likely to be compromised. There is also a new way of thinking in cyber security that going “passwordless” and only using a form of MFA from your phone to approve sign ins. While there are a number of situations that this wouldn’t work for, companies like Microsoft have been pushing for a passwordless future and have explained in depth the reasoning behind avoiding passwords all together.
Never re-use or use weak passwords. A lot of people treat this statement like they do when the dentist asks you how often you floss. You know you should, and sometimes you do it like they suggest, but most times you just end up forgetting (since it probably won’t matter). However, whether it is cavities or compromised data, you always look back and wish you had just done it I the first place.
Use a Password Manager. While having one password for your email and one for your computer may have been fine in 2003, there are just too many accounts for any one person to remember all their usernames and passwords now-a-days. This usually causes people to end up re-using their same password in multiple places or using simple passwords that are easy to guess (for both you and anyone else online). The best way to avoid this is by changing all your passwords to be unique random text characters and numbers and saving them all to a password manager that encrypts your vault with a single strong, unique password that only you know (with MFA enabled of course). While some people can be hesitant to use a password manager at first, after properly understanding what it does and how it works, it is currently the best option to date for ensuring no passwords are compromised.
For slightly larger companies who have customers that want to have confidence in the procedures you have in place, there are a number of standardized designations that companies can obtain that show their commitment to security and compliance. Mozzaz, for example, has just completed it’s SOC-2 (type 2) certification and now customers can confidentially know the level of commitment Mozzaz has to protect their data. If you don’t know what should be done or how to implement, consider hiring a third-party to review or even just plan a meeting to discuss with people in your organization of gaps they are aware of.
So in summary, why is compliance important to all companies?
Protects from both internal and external threats
Ensures the same instructions/expectations are communicated to all employees
Guarantee established procedures through employee turnover
Sets precedent for how to respond to unforeseen events
Formal designation gives boards and new customers confidence
Being 100% perfect is never possible but learning and getting better month over month is. How do you eat an elephant? One Byte at a time.
