7 Biggest IT Compliance Headaches and How CIOs Can Cure Them
IT, security and compliance experts discuss the biggest issues facing companies these days -- and what steps organizations can take to minimize potential regulatory compliance risks and security threats.
Tue, September 17, 2013
CIO — As if IT departments didn't have enough to worry about these days. They also have to ensure that the organization is in compliance with various industry and federal regulations (PCI, Sarbanes-Oxley, HIPAA) designed to keep sensitive customer data safe. An increasingly difficult task in today's decentralized, mobile, app-filled world. It's enough to give a CIO or CTO a headache.
"Compliance is a hot issue in IT, and for good reason," says Andrew Hodes, director of Technology at INetU, a cloud and managed hosting provider. "Failure to meet rules and guidelines set by compliance standards could mean fines, penalties and loss of trust."
The Biggest IT Compliance Challenges
But keeping the organization in compliance with industry and federal rules can be difficult, especially with more companies allowing workers to bring their own devices (BYOD). So what are some of the biggest challenges to keeping compliant? Dozens of technology pros and compliance experts share their top seven answers.
1. Employees. "Employees play a key role in protecting a company's sensitive data," says Jim Garrett, chief information security officer at 3M. "Low-tech methods like snooping, social-engineering or phishing are common techniques used by hackers against employees to gain unauthorized access to corporate information," he says.
"To overcome this threat, it's important to educate all employees on different ways information can be acquired through very low-tech methods and give them tools they can use, like protecting corporate data displayed on a laptop with a privacy filter while traveling or how to recognize phishing attacks, to help mitigate any risk," Garrett says.
"Having up-to-date security policies that are understandable to employees outside of IT is crucial," adds Scott Peeler, managing director, Stroz Friedberg, which specializes in investigations, intelligence and risk management. "Information security policies should cover the creation, transmission, transport and retention of information; when and how information can be disposed of or removed from corporate servers/storage; remote, wireless, electronic and physical access to the corporate network; and security precautions to use while traveling."
2. Laptops. To avoid the potential theft of data from mobile workers, "provide travel laptops to employees... and create specific information security policies to protect the network from cyber infiltration," says Peeler. "Travel laptops fully capable of executing vital business functions but stripped of proprietary, sensitive or secure information can mitigate risk of infiltration."
3. Mobile Devices. Mobile devices also pose serious security and compliance risks. "Regulated data isn't subject to a lower standard of protection just because it ends up on a mobile device," notes Ryan Kalember, chief product officer at WatchDox, a provider of secure mobile productivity and collaboration solutions.