by Sue Dunnell.
With another data breach in the news, consumers are reminded of the steps they need to take to monitor their own online information, including bank transactions, and ensure they are taking adequate security precautions.
And the recent Capital One breach was also a reminder for business organizations that they should continuously look at their policies and practices to ensure they limit employee and contractor access to cloud-computing systems.
Most companies have a compliance policy, but regulations change frequently and it’s hard to keep the compliance policy and procedures up to date. Reuters notes that a new bank regulation is implemented every 12 minutes!
Since ownership for compliance crosses business silos, it is challenging to ensure policies are consistently updated with changes, and the impact of those changes are communicated to other departments and staff. It is usually IT bearing the brunt of the fallout from a data breach, having to explain the vulnerability, restore service after outages, and outline target hardening strategies.
The cost of non-compliance can be staggering as it includes fines, settlements, lost business, revenue, and productivity. At nearly $15 million, it will cost an organization nearly triple the cost of a compliance program. And, the damage to an organization’s reputation can lead to significant losses in both revenue and customer loyalty.
But a breach also affects morale and company culture, and can cause significant internal strife as well. It can stifle productivity as employees feel they are working in an environment of finger-pointing, anxiety and paralysis.
Companies convey many messages to employees about security, communication, involvement in the local community, and employee activities outside of work. But companies must also promote an environment of compliance. This means generating awareness of the risks, engaging employees to feel empowered and responsible to act, and leading by example.
Many organizations have a compliance officer, a committee with representatives from different departments, and compliance training staff. But most employees do not view compliance as their responsibility, it’s something that somebody else worries about.
But in today’s environment, everyone needs to worry about it. Recent studies found that the top three sources of breaches were due to hacking, employee error / negligence, and accidental email/internet exposure.
Other research has shown that information security and compliance requirements can be burdensome for employees to follow; they can be ambiguous and difficult to understand. And, employees need to know how to identify red flags and when to escalate an issue.
Adding incentives for employees to follow compliance procedures can be made a part of employee performance measures; it will not only drive awareness but demonstrate the value the company places on protecting data and being in compliance.
It’s also important to foster transparency by educating everyone about the need for compliance, the impact, the ownership, and the details when a breach does occur as well as the steps to be taken in response.
Through collaboration, organizations can create a culture of compliance by promoting an understanding of how compliance violations and data breaches impact IT, business units, revenue, and company reputation. As the organization puts new policies, procedures, training and incentives in place to encourage all employees to be vigilant and aware of compliance, it conveys the message that it is important to the organization’s mission and success.
But it also has the power to build trust in the organization from both their customers and their employees — a significant advantage in today’s noisy news cycle, when the next breach could be in tomorrow’s paper.