Following data security best practices means keeping up with the expanding threat landscape and proactively planning more effective ways to deal with those emerging threats. For organizations, that can mean spending funds that may not have a tangible return, and real security requires proactively identifying vulnerabilities and patching them. Compared to that, simply complying with industry standards such as PCI DDS seems easier in many ways.
However, it is critical to note that compliance alone, while important, may not provide the risk mitigation needed to give organization executives peace of mind that data is reasonably secure. The TJ Hooper case illustrates perfectly the dilemma organizations have faced when dealing with compliance requirements and best security practices.
While en route to New York from Maryland in 1928, a tugboat called the TJ Hooper met with a harsh storm that sank it and the three barges it was towing. After learning that the tugboat and the three barges had sunk, the owners of the cargo on the barges sued the barge owners. The barge owners then laid the fault at the hands of the tugboat owners and sued them for neglecting to equip their boats with radios (technology that was available but not required for ships to carry) which would have helped them avoid the storm (ships capable of receiving weather warnings were able to avoid the storm).
The tugboat owner argued in court that their boats were equipped with all the required equipment, and weather radios were not required. While the judge acknowledged that the tugboat owners had been compliant with current standards, he found that they were liable for the lost cargo because the owner failed to implement available technology that would have prevented the loss.
Similar to the tugboat owner, IT executives may feel that they are sufficiently securing data by checking off boxes indicating compliance with current security standards. It may even be inconvenient or difficult to spend money to implement better security measures. One survey by Vormetric, however, found that for some IT executives the budget may not be the issue, but rather a slanted outlook. According to the survey, 64% of security professionals felt that adhering to basic compliance requirements are “very” or “extremely effective” at preventing data breaches. This study indicates that some IT professionals may see compliance and security as one and the same.
This skewed mindset clashes with what recent data breaches have shown. For example, Heartland Payment Systems and Target, two of the largest data breaches, were both compliant with PCI requirements at the time they were breached, but just as with the tugboat, compliance did not help them avoid the storms that hit.
In 2008, hacker breached Heartland Payment Systems, a payment processing provider, and stole the credit card data for 130 million credit cards. The breach cost Heartland $120 to $150 million, including fines and repairs. At the time of the breach Heartland was PCI compliant, but did not have further security in place that could have helped shield against the attacker. In 2010, Heartland announced—too late—that they would be adopting end-to-end encryption for their processing system.
Similarly, in Target's situation, an attacker infiltrated payment terminals and wreaked havoc on the credit accounts of consumers. This cost Target nearly $250 million in damages, including a $10 million settlement for consumers and implementation of a new, multi-million-dollar security program.
The problem organizations often face is being compliant but not secure—Heartland and Target learned the hard way that compliance is not the same as security. Because of the evolving threat landscape, security cannot be viewed as check-box to be dealt with and forgotten. Security must constantly progress to meet and mitigate the world's ever-evolving threats.