Compliance with HIPAA and other federal government mandates is not a surefire way to guarantee information safety, according to a new study from Vormetric. In fact, organizations’ blind desire to remain compliant may actually be a factor that leads to additional breaches.
Vormetric and 451 Research recently published the results of the fourth annual 2016 Vormetric Data Threat Report, which questioned 1,100 security executives from around the globe to learn more about their understanding on what it takes to properly protect sensitive information.
The study revealed an abundance of executives equated meeting compliance requirements with securing their assets, according to Vormetric. Respondents also showed an overreliance on buffing endpoint security at the expense of complete system protection. Companies in the United States rated the highest in regard to prioritizing compliance at 54 percent, followed by Australia and Germany at 51 percent and 47 percent.
So why do a majority of enterprise executives associate compliance with security? While the study doesn’t offer a concrete answer to this issue, one could guess that an outdated understanding of how breaches are detected and contained seems to be at the center of the confusion. In fact, 64 percent of organizations surveyed rated compliance as either very or extremely effective at stopping data breaches, according to Garrett Bekker, senior analyst for enterprise security at 451 Research and the author of the report.
“Compliance does not ensure security,” said Bekker in a statement. “As we learned from data theft incidents at companies that had reportedly met compliance mandates (such as Anthem, Home Depot and others), being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”
Vormetric said organizations that wish to truly protect themselves from being breached need to stop spending so much of their funding on network defenses as well as reduce the amount of emphasis placed on endpoint and mobile defenses. Last year, spending on endpoint security and mobile defenses in particular saw increases of 48 percent and 44 percent, respectively, despite their relative ineffectiveness in preventing cyber attacks.
For those looking to ramp up their protection, Vormetric recommends organizations focus on deploying more data-at-rest-solutions, which the company posits are the most effective means of protecting sensitive data. While the U.S. ranked second on the list of nations planning to increase their spending on data-at-rest defenses, overall spending on these solutions declined by eight percent last year. Again, Vormetric stressed the importance of actually protecting data over simply ensuring compliance – a common faux pas that can create serious trouble down the road.
While these certainly weren’t the only findings in Vormetric’s study, the confusion surrounding compliance and security is important because it highlights the dissonance between complying with federal and financial policies on paper compared to actually protecting information in the real world.
Failing to meet compliance requirements is a scary prospect, and certainly something organizations around the world have to worry about, but the real issue is how much emphasis organizations place on meeting a requirement as opposed to taking action against real threats. Sadly, this problem is bound to persist so long as the government continues to enforce outdated security methods and allows the real problem of proper cybersecurity education to go unaddressed.