Data breaches do not exclusively happen to organisations that ignore compliance and refuse to implement a risk management programme.
Unfortunately, they also happen to organisations that, on the face of it, are compliant with all major appropriate accreditations. Why is this? Simply put, the certifications only go so far, true data security compliance can only occur when the risk identification and minimisation is given the resource it needs.
At the moment, most organisations are focussing on ticking a box rather than ensuring their processes minimise risk. For those who are truly focussed on avoiding data breaches, the process must go further than hanging a certificate on the wall. Certification proves that an organisation has the ability to work to a specific standard, but does not necessarily mean that it does so on an ongoing basis. Indeed, it is only by ensuring that a solid risk management programme is carefully followed consistently that an organisation will reduce the chances of being handed a hefty fine through data leaks.
There are many certifications and compliance programmes that are designed to test the resilience of a company’s data security procedures, HIPAA and PCI for example; they are fantastic instigators for identifying improvements within risk management. However, there are no overreaching accreditations that can identify individual company-specific risks; they are designed, in essence, to ensure a minimum generic standard can be reached. Every organisation must look beyond the tick box certification and be prepared to carefully examine every aspect of their own digital footprint in order to fully appreciate the potential data risks that they face. This will also go a long way to maintaining the minimum standards of the accreditations as opposed to proving they can attain them on a given audit date.
Given the huge cost of non-compliance, including fines (2% of global turnover), legal fees and damage to reputation, the cost of full compliance is relatively inexpensive. Therefore it seems logical to supplement external security audits with a regular programme of internal checks; the benefits of which go beyond improving data security; they also make full audits far less taxing, reducing disruption to productivity and unnecessary stress, especially to those who carry the data security compliance burden within an organisation.
Full compliance is not without cost; however, it is insignificant when considering the cost of a data breach. Full compliance involves a thorough investigation of an organisation’s individual infrastructure and ensuring risks are minimised on an ongoing basis. You cannot become truly ‘compliant’ by ticking off a list of pre-defined requirements, you must be prepared to take a pro-active approach to risk identification and constant maintenance of your risk management processes in order to take potential data breaches seriously and help you to sleep at night.