Results of a survey of more than 200 technology people charged with maintaining compliance at companies with more than 2000 employees in the healthcare, retail and financial services industries reveal almost all respondents lack confidence in their ability to address and manage governance, risk, and compliance.
Tim Sedlack, senior product manager, Governance/Risk/Compliance solutions, Dell Software, says: “Too often, we are seeing security and compliance failures that don’t have to happen. Regulated industries like healthcare, retail and financial services have a tough road when it comes to meeting their governance, risk and compliance objectives, and our survey results show they are worried about it. Let’s face it – a failed audit can be very costly for any organisation. But, with the help of Dell Software’s compliance and identity and access management solutions, and by following our best practices for achieving continuous compliance, IT organisations can help their companies maintain a compliance and security orientation that is ready for an audit at any time.”
According to the IT product company, IT professionals face an uphill climb to maintain environments held to standards set by external regulatory control, as well as meet internal policies and best practices set forth by the organisation itself. Controls required by regulatory agencies are not just a one-time implementation. R6ather, represent a set of minimum, usually security-based standards that must be maintained and updated at all times to keep the company prepared in the event of an internal or external data breach disaster, which can happen at any time, with little warning.
Some findings of the Dell Software commissioned Dimensional Research survey include:
o 83 percent of respondents believe their organisation’s security would be improved if the security and compliance teams worked more closely and shared more information
o Fewer than half said employees adding new data sources to the environment for compliance and security take the time to inform the security and compliance teams about the new data; and
o 59 percent of respondents cited limited manpower, and 49 percent cited growth in the amount of data as the number one and two causes for concern in meeting GRC (governance, risk management, and compliance) objectives.
Organisations are concerned about their ability to prevent unauthorised access and changes to sensitive data, setting them up for a potential data breach.
o 93 percent of respondents are concerned about their ability to prevent unauthorised changes
o 22 percent are concerned about unauthorised internal access by employees or consultants
o 61 percent are concerned about both external and internal unauthorised access
Organisations are not confident they are capturing all compliance data needed to maintain regulatory standards, and a large percentage have no consistent process for managing the volume of data required for regulatory control.
o Less than 50 percent of respondents proactively review, add or remove data sources that are no longer required – putting a large portion of organisations at a much higher risk of security threats while believing they are compliant and secure
o Only 11 percent of respondents are very confident that their organisation is capturing all the data necessary to detect, investigate and determine the root cause of an incident or data breach; and
o Less than 50 percent of respondents have a consistent process in place for adding regulatory data sources.
A solid governance, risk and compliance strategy calls for compliance and security teams to work together and share information. This helps to ensure your organisation is continually compliant, has the maximum level of protection from breaches, and prepares you to handle a potential data breach effectively, Dell Software recommends IT organisations get a better understanding of the value of closer alignment between compliance and security teams and the importance of sharing regulatory information across the teams. There are benefits to regularly and proactively reviewing data sources collected, getting rid of the old, as well as ensuring the right people have the right access to the right information. Remember that de-provisioning is more important than provisioning. There is a benefit to managing access rights properly and an opportunity to share data without providing access to the collecting application or infrastructure. This can be done without providing knowledge about how the data was collected. Finally, don’t forget privileged accounts. With access to mission-critical applications and data like credit card information or patient history, these powerful accounts are highly sought-after by external and internal threats alike. It is critical to understand what privileged accounts are in any organisation’s environment as well as the dangers of setting up access controls and privacy in an inconsistent manner.
