6 Common Information Security Compliance Risks To Avoid
by Hannah Grace Holladay / December 12th, 2022
Your business is at risk.
Information security compliance may be the key to protecting your valuable data and reputation.
Most businesses are likely required to comply with one or more information security regulations and industry standards, whether it’s PCI DSS, HIPAA, FERPA, FISMA, GDPR, SOX, or other regulations with information security components.
Information security compliance should be a priority in your organization, especially if your company handles personally identifiable information, credit card data, healthcare data, financial records, and a wide range of other data categories. Businesses with lax information security risk legal liability, fines, and reputation damage. In the worst cases, non-compliance results in sanctions that prevent a company from continuing operation.
But exposure to legal risk isn’t the only reason businesses should comply with information security regulations. Compliance improves internal security practices, decreasing the risk of security breaches, data leaks, and the financial damage of downtime and service disruption in the event of a security incident.
In this article, we take a look at six of the most common information security compliance risks. They cut across information security regulations, so you should find a risk relevant to your business regardless of which regulations apply.
What is an Information Security Compliance Risk?
Compliance risk is a business’s exposure to the consequences of compliance failures. These consequences may include legal penalties, financial losses, and constraints on business operations. Each set of regulations and standards has its own penalties. Here are a few examples.
- HIPAA operates a tiered penalty system that runs from $100 per violation to $50,000 per violation. These penalties are set out in the HITECH Act and are adjusted for inflation when applied, so they have significantly bigger dollar values today.
- PCI DSS also operates a tiered penalty system with maximum monthly penalties of $100,000. PCI has applied fines of up to $500,000 per incident for security breaches. Security breaches caused by compliance failures can also lead to the termination of relationships with payment processors and banks.
- Non-compliance with FISMA can lead to the loss of federal government contracts and funding.
- Businesses that operate in the EU must comply with the General Data Protection Regulation (GDPR). Penalties for non-compliance include up to 4% of global revenues or up to €20 million, whichever is greater.
6 Common Information Security Compliance Failures
1. Poor Identity and Access Management Practices
Identity and Access Management (IAM) consists of systems and processes to manage identities and their access to data, infrastructure, and organizational resources. Failures of identity and access management often result in unauthorized access to sensitive information.
The most common failures involve lost, shared, or leaked passwords. But IAM compliance failures cover a huge range of security vulnerabilities, including the over-broad configuration of access rights, insecure management of credentials and API keys, failure to delete old credentials, and so on.
Identity and access management is a business’s first line of defense against unauthorized access and data theft. Poor practices can result in information security compliance risks that expose businesses to damaging penalties.
2. IT Infrastructure Misconfiguration
Infrastructure misconfiguration is one of the most common compliance risks. As IT systems—particularly cloud systems—become ever more complex, the risk of misconfiguration exposing sensitive data has increased. The vast majority of security incidents involving data stolen from cloud platforms are the result of misconfiguration.
To take one example we’ve written about extensively on this blog, misconfigured AWS S3 buckets are a gift to cybercriminals. HIPAA-covered entities have often been found non-compliant because they stored ePHI on cloud storage with insecurely configured access permissions. Properly configured, S3 can be used as a compliance data store for ePHI, but configuration failures create massive information security compliance risks.
3. Insecure Storage of Sensitive Data
Most information security regulations insist that sensitive data is encrypted at rest and that decryption keys are stored securely. When you read about a massive data leak in the media, it’s likely the victim was not following these basic information security risk reduction strategies. Encrypted data encrypted is worthless to cybercriminals—they can’t decrypt it, provided cryptographic keys are stored securely.
Encryption is part of a defense-in-depth strategy. Businesses should implement security measures at network perimeters, such as firewalls. But it’s a mistake to rely on their ability to keep bad actors out. Encryption allows businesses to protect data and mitigate compliance risks even if their networks are breached.
4. Shadow IT
Shadow IT is information technology that is not controlled or monitored by businesses. The most common cause of shadow IT risks is the use of unsanctioned cloud IT services. Cloud resources are easily accessible and convenient—often more convenient than the officially approved resources made available by the business.
Employees who use cloud services without approval to store sensitive data create a significant compliance risk. Cloud access security broker tools can help to reduce the risk, but only if businesses work to eliminate shadow IT.
5. Inadequate Training
In this article, we’ve discussed several compliance risks created by employees. But these are rarely the result of malice. Employees are trying to do their jobs to the best of their ability, and they lack the training necessary to assess the risk associated with their behavior. Security awareness training is an essential aspect of compliance risk reduction.
6. Poor Documentation
Poor documentation is related to our previous compliance failure. Employees can’t follow security best practices if there is no documented practice for them to follow. Many information security regulatory frameworks mandate comprehensive security process documentation for this reason.
For example, PCI DSS Requirement 12 requires “Evidence of security policy created, published, maintained, and distributed to all relevant personnel.” HIPAA requires a range of documentation, including risk analyses, risk management plans, sanctions policies, and notices of privacy practices.
Mitigate Information Security Compliance Risk with KirkpatrickPrice
Kirkpatrick price offers a wide range of information security services that help businesses to identify and reduce security compliance risks, including:
Compliance audits, including HIPAA, PCI DSS, FISMA, and FERPA.
