Regulatory compliance has become a way of life for many companies, especially in industries such as healthcare and financial services. The number and variety of regulations has increased in recent years - and for many organizations the process of ensuring compliance is both costly and time consuming.
Consider what the U.S. Health Insurance Portability and Accountability Act (HIPAA) has meant for IT and security departments within healthcare organizations. A portion of HIPAA defines the policies, procedures and guidelines for maintaining the security and privacy of individually identifiable health information, and creates standards for the use and dissemination of healthcare information.
The costs of non-compliance
A failure to comply with HIPPA can result in significant financial ramifications, including fines and penalties. In fact, fines can run as high as a million and half dollars for a healthcare organization for each state in which data is breached, depending on how severe the data breach.
As if that’s not enough, companies can also incur high costs for fixing the problem that caused the breach in the first place and preventing similar breaches from happening in the future.
HIPAA is no means the only regulation that can create headaches for IT and security, and some of the rules can actually create problems for organizations’ security efforts.
For example, the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for organizations that handle cardholder information for the major debit, credit and other payment cards, has a requirement for a “clean scan” that can be a huge burden for companies.
And for businesses that offer services mainly via the cloud, the need to be compliant with multiple federal and industry regulations can create huge complexities that have the potential to hinder security.
How VARs and MSPs can help
For you as a VAR or managed services provider, the plethora of government and industry regulations represents an opportunity to help customers meet some of these requirements - particularly those that address information security and data privacy.
The thing is, no matter how annoying compliance might be, it actually is designed to help companies to be more secure. Attackers could not care less if a target company is compliant, and they certainly have no plans to adhere to compliance standards. But their chances of a successful hack are probably much lower if the target has indeed worked to be compliant.
The right direction
Compliance helps push organizations toward better security by setting a bar. But too often organizations spend their effort on figuring out how they can do the least to achieve the bar that is set. So it’s a sort of ‘spirit of the law’ versus ‘word of the law’ type of scenario. And frankly, given all CIOs, CISOs and other technology and security executives have to be concerned with, compliance is not likely to get them stop everything and enthusiastically jump into a compliance project.
This is where outside expertise (you, the info security and data privacy consultant) can help. Not only can you help customers understand the importance of full compliance, but assist them in selecting the best technologies to meet their compliance needs, as well as handle implementations and ongoing maintenance.
While meeting compliance is a must for many companies, compliant organizations continue to be compromised by intruders, and that indicates that something clearly isn’t working. The gap between “compliance” efforts and strong security speaks volumes. It forces organizations to ask, “Are IT and security decision makers helped by compliance, or hindered?”
Compliance standards, especially relatively clear-cut ones such as PCI should be helping organizations to bolster their security. In many cases they likely do. But are the compliance efforts underway at many companies hopelessly behind the attackers, and do they set a bar that is too low to address current security threats?Complicating matters
Furthermore, can compliance efforts keep up with virtualization, and private, hybrid and public cloud computing? What about the impact of mobile devices and applications, and social media? For that matter, what will the emergence of the Internet of Things, with its potentially millions of connected products sharing data, mean for security and data privacy issues?
These are all questions that C-level decision makers are likely to have as they are handed orders to work on compliance initiatives. And for smaller companies in particular that are strapped for resources as it is, the added burden of having to look into these issues can be ponderous.
You can bet that many of them are looking for help—whether they realize it or not. As a reseller and managed service provider who is focused on security technology and services, you have an opportunity to learn as much as possible about compliance and help organizations raise the compliance bar to a level that hackers will have to struggle mightily to reach.