How Does Encryption Complement Compliance Efforts?
Compliance as a Catalyst for Encryption—It’s Happening Across All Industries
Peak 10’s 2016 Encryption Research Study proved that nearly 64% of businesses across all verticals are subject to regulatory requirements of some kind, whether it be HIPAA, PCI DSS, or another compliance framework within the great myriad of regulators—not to mention the danger of increased risk of breaches that go hand-in-hand with compliance. It’s clear that the main factor laying the groundwork for encryption adoption is compliance. Interestingly, in spite of the pervasiveness of regulatory requirements, less than half of organizations currently use file-level or transparent encryption.
All businesses are figuring out how to overcome trust concerns and the danger of negative financial impacts, as well as federal and state penalties, (particularly where HIPAA and PCI-related data are in question) while operating within an increasingly risky cyber-environment.
Some industries, such as healthcare and finance, are connected with compliance inherently (given the obligations to HIPAA and PCI DSS). Regardless of the vertical, some organizations subject to compliance mandates may be legally required to report data breaches—unless the sensitive data is encrypted when stolen. More specifically, a hacker who has successfully gotten past security controls and obtained encrypted data will not have any valuable or marketable information because it’s been scrambled, and decrypting it is not worth the time (not to mention it’s nearly impossible).
Adopting encryption increases organizational security practices while helping businesses to be more in alignment with compliance requirements.
What Do Compliance Mandates Really Say About Encryption?
Here’s where the confusion comes in. All organizations need to be fully aware of the details of compliance obligations; they’re not the same for every business. Many regulatory bodies have specific stipulations for information security. When encryption is referenced, there may not be a standard methodology for execution in detail.
Many organizations who must adhere to compliance requirements might ignore encryption or adopt it with open interpretation. There are several types of encryption, and some provide greater security than others depending on the objective. For example, full-disk encryption is designed to protect against physical disk theft. Full-disk encryption does not provide the granular access control provided by a policy based file-level encryption solution.
To this end, encrypting your data may protect you from breach reporting obligations. However, that’s starting to change; the state of Tennessee is making efforts to require the public report of all breaches, encrypted or not. The problem is that as a result, bare minimum security and encryption efforts are applied, creating significantly increased vulnerabilities and greater potential for breach in spite of practicing compliance.
Compliant and Secure are Not the Same Thing
Since security measures are included in compliance considerations, another common belief is that sufficient compliance measures are equivalent to security.
Not so. First, compliance is not security; the two are related, but not the same. Encryption is a security control that every business should be using for critical data, and it may be an element of your compliance requirements, but it is only a basic standard for an adequately secure future state. Do not gloss over any aspect of what is being asked of your company knowing the mandates you must adhere to, and be sure to identify how you can go above and beyond to not only stay in compliance, but prevent successful breaches.
There can be no compromise when it comes to having a complete, detailed awareness of the security controls your organization must implement, conditional upon the compliance mandates that apply to you.
Peak 10 encryption experts are always available to talk about your organization’s security practice. Whether you’re wondering if you should adopt encryption or you need help modifying your current strategy, we’re here for you. If your team has questions, we’ve got answers—reach out at any time by visiting our www.peak10.com/contact-us or calling 866-473-2510.