Hannaford breach illustrates dangerous compliance mentality

As Executive Editor Dennis Fisher explains, the Hannaford supermarket breach illustrates how too much emphasis on compliance puts critical data at risk.


In this case it's not necessarily a technology or a person, but an industry-wide mindset that's at fault here.
Dennis Fisher,
executive editorSearchSecurity.com

Whenever ugly incidents such as the security breach at the Hannaford Bros. grocery chain occur, the natural reaction of those in the industry is to look at them through the prism of security and accountability. That is, which part of the company's defense system failed and who is to blame? Once the "what" portion of this question is answered, we can then move on to the "who" part, assign some blame and move on to the next attack.

Behind the Firewall

But looking at the Hannaford incident from a different angle reveals that in this case it's not necessarily a technology or a person, but an industry-wide mindset that's at fault here. The decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations has created a climate in which passing an audit or satisfying a regulator is deemed more important than actually doing what's necessary to protect critical assets. This, as we're seeing on a daily basis now, is a dangerous situation, and it's a problem that must be addressed within each individual organization if it's to be solved.

Already we are seeing cases in which companies hit by data thefts are using compliance with one standard or another as a shield against culpability and potential liability in court. Many of the stories about the Hannaford breach have mentioned that the company has been certified as compliant with the PCI DSS standard, a fact that Hannaford itself trumpets in its online privacy policy statement. Any attorney worth his salt will make that compliance Exhibit A in a defense of the company against lawsuits from consumers. It's an easy way of saying, Hey, we did everything we could to protect your data. We met the standard implemented by the credit-card companies themselves. What else could we do?

And for consumers not familiar with such standards and what they actually require, that will be enough in many cases for them to cut Hannaford a break. But the reality is that compliance is by no means synonymous with security. Compliance with PCI, HIPAA, Sarbanes-Oxley or any other regulation simply means that at the time of the most recent audit, the organization met the guidelines set out in the regulation. It does not mean that the organization monitors its compliance with those rules on a continuous basis. It is simply a snapshot of the company's state at one moment in time.

About Behind the Firewall:
In his column, Executive Editor Dennis Fisher sounds off on the latest issues affecting the information security community. 

Recent columns:

Shrewd attackers bypass old security defenses with Web attacks

Security measures pose risk of government control of cyberspace

Security market consolidation a double-edged sword

Security questions irritate VMware, but critics see holes

In order for compliance to translate into true security, companies must take to heart the painful experience known as continuous process improvement and constantly work to do things better. That's the way things work in the overwhelming majority of companies dealing with the ever-increasing regulatory burden placed on IT staffs these days. People work hard to do what's necessary to protect their companies' networks and customers while also having to satisfy the checkbox nature of many of these regulations and standards. Sometimes those two requirements mesh. But just as often they don't, and more's the pity it's leading us all down dead-end road.

No one would argue that PCI, SOX et al haven't done some good things for corporate America; certainly they have. But that's almost beside the point now, because in some cases those benefits are outweighed by the enormous amount of time and effort security staffs have to spend on compliance, often at the expense of other projects. We're now beginning to see the results of that compromise, and it's not a pretty picture.

The situation is likely to get worse before it gets better, however. Given the economic climate right now and the upcoming administration transition in Washington, more regulation seems likely as the new president looks to put his (or her) legislative agenda in place and make a mark. And, if the data breaches continue, which of course they will, you can bank on some kind of national disclosure law, as well as more federal regulations for organizations that handle personal information.

How's that for irony? We legislated our way into this mess and we'll probably try to legislate our way out, too.

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close