Compliance pressures often push companies to make security improvements they wouldn't have tackled otherwise. More budget goes toward technology needed to protect customer data. New policies are created to rein in what employees do online with company machines.
But there's a dark side to this story.
In the mad rush to comply -- whether the stick takes the shape of PCI DSS or the Red Flags Rule -- companies sometimes make decisions that weaken their security. Poorly chosen and deployed IT security technology is perhaps the best example; for more on that, see "How to Make Things Worse With IT Security Technology.
Here are five common mistakes as related by IT security practitioners, analysts and consultants.
1. How to Botch Multi-factor Authentication multi-factor authentication. When done right, a much more secure log-in system is in place. But when it's deployed in a haphazard, hurried fashion in the race to meet a deadline, it can be worse than doing nothing. Niels Groeneveld, information security engineer for a global telecommunications company, has seen such failure up close when trying to help customers. The hurt begins when the implementers decide to make exceptions to the rules everyone should be following.
Many companies have opted to ditch the easily-compromised username and password approach in favor of
"I've seen a company implementing multi-factor authentication worldwide in their desktop environment for compliancy reasons. They've spent tens of millions (at least) on this project," he said. "The company added an escape route, because employees often forget their tokens, to ensure they can also log on without those tokens, using their regular username/password combination."
The result, he said, is an environment that is no longer compliant, with multi-factor authentication that doesn't offer real security because it can be circumvented, and "no possibility to apply the concept of non-repudiation" when the token is not used.
2. Look, Ma, No Research!
The first example is but a symptom of a larger problem. Companies under the compliance gun are so eager to install technology that will win them a passing grade that they forget to do their homework before going to the vendor.
Jonathan Tranfield, security and risk practice manager and principal at Brookhaven Advisory Services, has seen companies make this mistake.
"I am seeing stressed CSO's throwing in vendor products in a hurry to meet a compliance deadline without adequate research, change management and release management. I have been at two clients lately where this has caused large issues including one major outage at a bank."
3. Retrofit Fail
There's a very good reason companies need to be doing their homework when making the purchases described in the second example. Bolting a new security tool onto existing infrastructure can be a lot like trying to hammer star-shaped pegs into oval-shaped holes. It's an old problem many companies fail to learn from, said Ed Ziots, network administrator for a company in Providence, R.I.
"Everyone is in a rush to get compliant to meet the letter of the law and lower their risk to regulatory punishment and damages that they fail to see the forest from the trees, and don't stop to look at the big picture, which continues to perpetuate the fire-drill exercises to secure things instead of looking at the security of the products and services that are part of the business fabric and incorporate this from the beginning," he said.
One of the most common mistakes along the way is trying to retrofit security solutions to systems "instead of baking in the security solutions at the system-design level," he said.
4. Extremism in the Cause of Compliance IS a Vice
Fear often leads to extreme measures that either make matters worse or have no beneficial impact. Such is often the case when compliance officers try too hard to batten down the hatches against a regulatory provision they may not fully understand.
In an effort to keep top-secret data from leaving the company on USB sticks, for example, a company may decide to block off every USB port in the path of employees. Jeffrey Barto, a bank security director based in New York, cited this example and said there are much more sensible measures to be had, like tightening the rules on what employees can store on USB sticks and closely monitoring usage to ensure the rules are being followed.
5. Gathering Data Won't Help if You Can't Determine the Behavior Behind It
Gathering data and not using it properly or not gathering the right data for compliance requirements is another problem Barto has seen. "An example is capturing all e-mail, resulting in millions of records without establishing intelligence to determine patterns or deviations," he said.
The best advice against all these missteps, experts said, is to simply slow down and take careful stock of where the company's greatest risks are. From there, companies need to take careful study of the security tools available to them and figure out before buying them if compatibility with the rest of the network will be an issue.