Number 2, is that organizations are simply not aware of or are just not doing the compliance.
The 2014 Verizon PCI DSS report stated that only 11 percent of companies passed all 12 PCI DSS requirements. This report was for PCI not HIPAA, but the trend is the same wherever we look excluding the financial sector. The financial sector is highly regulated and this seems to make a big difference, it's the most attacked because it's where the money is and it's the best in compliance. But as I have stated before, Compliance is the minimum! So it's unfortunate we can't even get everyone on board here, no wonder cyber criminals enjoy such easy access to so many organizations.
Let's define compliance vs security. As I recently stated in a quote I made in the Nov. 17 issue of Fortune, "How Frank Blake kept his legacy from being hacked", "Compliance is backward-looking and static, and security is forward-looking, dynamic, and intelligent." Compliance is the foundation for security, it's the minimum.
Number 3 Just where are organizations failing on compliance? Policies are not in place, I'm talking about a cybersecurity policy, An acceptable use policy, remote access policy, wireless access policy, and a BYOD policy to name a few. Policy sets the stage, it tells everyone the CEO gets it and that all users play a critical role in properly managing risk within the organization. This includes your vendors. Remember Target had a vendor issue.
We see very little PEN testing, Shore Break Security's Mark Wolfgang advocates continuous PEN testing. He says if you are hacked quarterly then scan quarterly. Otherwise if you are like most organizations, which are hacked daily, PEN test and scan daily. This is a game changer and companies need to look closely at it, it's a sure win for our side!
We also see too many administrator accounts or too many users with rights that are above and beyond what they need to do their jobs, this is called principal of least privilege, we see poor passwords and little or no user security awareness training. Humans are usually the weakest link and cybercriminals constantly exploit this by sending a phishing email to an unsuspecting user that's willing click on that malicious attachment or link.
Number 4 Technology, remember that as a minimum you have a firewall and it's managed, an Intrusion Prevention/Detection system, anti-birus on all devices, Web filtering appliance, email filtering appliance and a sandbox device like Fire eye or Fortinet type technology. This sandbox technology is now needed to combat zero day exploits, they catch Advanced Persistent Threats that firewalls and anti-virus can't detect or block. We constantly see out dated or unmanaged firewalls, or no one is looking at any device logs. Stay away from any product that claims to be a magic bullet, they will say: "this will solve all your security and compliance issues". It's never that simple.
Sign up for Computerworld eNewsletters.