\u201cRemaining compliant with data has always been a concern for organizations, and a headache for IT,\u201d states Doug Bordonaro, chief data evangelist at ThoughtSpot, a business intelligence and data analytics provider. \u201cWhile that remains true in today\u2019s world, the underlying drivers have changed.\n\u201cPreviously, most compliance initiatives were driven by national legislation like HIPAA and SOX and rooted in security concerns around hardware and software,\u201d he explains. \u201cToday, however, enterprises must manage, govern and ensure compliance for the overwhelming amount of data they produce, especially in the face of global legislation like GDPR, rather than national regulations.\u201d\nSo what are the biggest compliance-related issues that organizations face today? CIO.com surveyed dozens of IT, compliance and security experts to get their take. Following are the top five they cited, as well as suggestions regarding what IT leaders can and should do to ensure their organizations comply with industry and government regulations.\nBYOD\n\u201cPersonal mobile devices [e.g., smartphones and tablets] \u2026 create security vulnerabilities,\u201d says Lisa Hawke, vice president of security and compliance at Everlaw, a provider of e-discovery software. But organizations \u201ccan mitigate this issue through a strong bring-your-own-device policy backed up by technical controls. Mobile device management protocols, such as Google Mobile Device Management, are key to oversight in this area because they provide the ability to remotely remove access to selected accounts or wipe a device.\u201d\nFurthermore, managers can prevent critical data from being \u201ccompromised [lost or stolen] by enforcing device lock passwords, the longer the better,\u201d she says. And they should \u201creplace SMS with a time-based one-time password-based method, such as Google Authenticator.\u201d\nSoftware management (updates and patches)\nKeeping up with software updates and patching existing software when vulnerabilities are detected is another major issue for IT organizations.\n\u201cIn 2017, the number of third-party vulnerabilities discovered in commercial and open source software more than doubled, requiring CIOs to ensure that their software was patched in order not to expose their organization to unnecessary risks,\u201d says Rami Sass, co-founder and CEO of WhiteSource Software, an open source security and license compliance management platform. \u201cWe all still remember the patching frenzy led by Meltdown and Spectre in late 2017.\n\u201cThe Equifax breach is another great example of the importance of patching vulnerable third-party components since the root cause was an exploitation of an open source vulnerability in their web application,\u201d he adds. \u201cThe vulnerability was published in March together with a patch, but Equifax failed to patch it and the hacker exploited that known vulnerability. In third-party vulnerabilities, we need to remember that the information is known to the entire public, so a quick response is crucial.\u201d\nThe bottom line: IT managers need to ensure that their organizations are current with software updates and immediately patch any known vulnerabilities.\nGDPR\n\u201cEurope\u2019s sweeping privacy regulation, the General Data Protection Regulation, goes into effect\u00a0May 25, 2018, and it looks beyond data security at how an organization uses data and respects individual privacy,\u201d says attorney Daniel L. Farris, chair of the technology group at the law firm Fox Rothschild LLP. \u201cIt is pervasive, impacting the entire enterprise, and [will require] active management\/oversight of third party vendors.\u00a0\n\u201cCompanies that collect or process data about Europeans, offer goods or services in Europe, or even receive, store or process EU personal data for corporate customers will likely have to comply. [And] compliance means \u2026 enterprise-wide data mapping and a data inventory, generally only using personal data as permitted by individuals after consent\/opt-in, managing vendors, regularly auditing or assessing privacy compliance programs and respecting an individual\u2019s \u2018right to be forgotten,\u2019\u201d he explains. \u201cNon-compliance can cost a company up to 4 percent of global turnover [gross revenue].\u201d\u00a0\nTo help tackle GDPR, \u201cbegin documenting data processing and resulting risk, including any applicable rights of the data subject, if you have not already,\u201d says Hawke. \u201cGDPR Article 30 requires that every organization subject to the regulation must maintain a record of data processing activities.\u201d However, there are free tools, such as this template\u00a0provided by Everlaw, that can help guide organizations.\nEDI\/vendor management\n\u201cA major vulnerability of many companies comes from Electronic Data Interchanges (EDI) and vendor system integration,\u201d says Farris. \u201cA 2017 report by Soha Systems indicated that as many as 63 percent of all reported data breaches originated directly or indirectly from third-party vendors.\u00a0Some of the most well-known data breaches, from Target (HVAC) to Home Depot (POS software on handheld devices) to Philips (payroll processor), have originated as breaches at a third-party vendor.\u00a0Managing not only vendor information security but also vendor compliance with privacy laws is a major undertaking and significant compliance challenge.\u201d\nIoT\n\u201cWith the proliferation of the internet of things (IoT), there is explosive growth in the number of endpoints and interconnected devices,\u201d says Farris.\u00a0\u201cTo date, IoT security standards have lagged, creating a potentially huge number of new vulnerabilities in organizations\u2019 networks.\u00a0This digital-physical convergence is being seen across almost all industries, including financial services, retail, food and beverage, industrial, energy, oil\/gas, automotive, transportation and utilities companies.\n\u201cUnlike some other threats to an organization\u2019s network, IoT endpoint vulnerabilities could ultimately lead to more than financial or reputational harm, but actual physical harm to individuals,\u201d Farris says.\u00a0\n\u201cTo make sure that IoT systems in the enterprise are fully compliant to security regulations, CIOs should schedule annual penetration testing,\u201d says Boris Shiklo, CTO of ScienceSoft, an IT consulting company. \u201cThis activity [should be] performed frequently in case there are changes in an IoT architecture.\u201d\nAnother option is \u201csandboxing\u00a0IoT\u00a0devices into a separate area of the network, limiting their \u2014 and by association, hackers\u2019 \u2014 access to sensitive data and credentials,\u201d says Ofer Amitai, CEO of Portnox, a provider of network security solutions.