When it comes to data security, regardless of your industry sector, you’re likely to have to deal with compliance regulations.
If you’re in the legal industry, there is the Law Society’s Lexcel standards. If you handle cardholder data, you’ll have to comply with PCI DSS. And if you work in healthcare, there are guidelines from HIPAA, NHS England, Wales or Scotland. Then there is the umbrella of the ISO 27001, covering any set of information relating to individuals in any sector.
Compliance requirements for user security are similar regardless of industry
While different industries have different security requirements, the user security side of compliance is remarkably similar because employees in any business are human, and are prone to making mistakes. Information security is a common goal so the steps you need to take to achieve compliance in your industry will be similar to others.
Many regulatory standards provide quite detailed processes on how to achieve compliance. This may include implementing the right technology to help employees protect information, providing regular IT security training as reminders, and ensuring that you have an updated IT security policy in place.
For example, PCI DSS and the Financial Conduct Authority emphasise the importance of staff training for new recruits. NHS guidelines and Lexcel dictate that companies must deny concurrent logins on the network with the same employee credentials. ISO 27001 states a formal de-registration process must be in place for employees who leave the company.
But despite the consequences for non-compliance getting more severe through larger fines and even with the threat of imprisonment, it was surprising to note in our recent research that non-compliance across industries with regards to user security. This is worrying for many reasons, not least because these companies are putting their clients’ personal and sensitive information at risk.
Three of the most heavily regulated industries are getting compliance badly wrong
In our research, we surveyed US and UK employees in three of the most heavily regulated industries — healthcare, legal and financial services.
The research showed that
- 43% of employees in these industries did not receive IT security training when they first joined the company
- 40% of companies do not have a documented IT security policy.
- 41% of companies do not even enforce the use of secure passwords.
- Nearly 1 in 3 employees don’t need to log in to company systems to access sensitive information
- More than half of companies (54%) do not immediately revoke network access once an employee has left the company.
Each of these statistics represents a larger window of opportunity for an attacker to exploit. Individually, they might be harmless. But together, they’re a huge risk to company networks and customer-sensitive information.
Your next steps
Compliance is all about following best practices. If you do the basics right, you’ll go a long way to becoming compliant and providing the best line of defence for your company.
But where should you direct your focus?
First, address the human aspects of security, by providing effective ongoing training and ensuring you have robust security procedures in place. Make sure you create and share a security policy with everyone in your company and include any penalties for poor security that will be enforced.
Technology complements the human aspect of security, and is the third part of the solution. Ensure that you have the right software in place so employees not only use passwords effectively but are prohibited from poor best practices such as concurrently logging into your network. Unique user logins aren’t helpful if someone has shared their password or is logged into two machines at once — how do you determine who the unique user is in that scenario?
We’ve put together handy user security checklists, which you can use to make sure you’re up to scratch:
Financial Services User Security Checklist