The Cost of ComplianceBy Kevin Quinlan | Posted 2011-12-06 Email Print
Improving visibility across its IT infrastructure bolstered restaurant chain Bertucci’s security and compliance initiatives.
Complying with both regulations requires significant cost, time and effort that must be diverted from other core business operations. What’s particularly notable about the Ponemon study’s findings, however, is that the cost of noncompliance far outweighs the costs associated with achieving and maintaining compliance. That’s not hard to imagine when you consider the costs of recompensing those whose data is compromised, legal fees, unrealized revenue and resources deployed to address problems, among other things.
What became immediately clear was that we lacked visibility into changes that could move us out of compliance. For instance, if an employee were to change file rules to inappropriately grant himself or herself administrative rights, or make a wrongful change to firewall settings, serious vulnerabilities could result and potentially threaten data, disrupt critical business processes and jeopardize compliance with regulatory standards. We also recognized that by addressing our compliance needs—which was viewed as a priority among the executive team—we had an opportunity to improve our overall security posture.
Because Bertucci’s has nearly 6,000 employees, a large amount of sensitive information, such as accounting, human resources and other data, flows through our network at any given moment. So it’s critical that the right people—and only the right people—have access to that information.
The problems that plagued us in the past include instances when someone in accounts receivable inadvertently got access to payroll files and when access was not terminated for employees who left the company. What's more, since the majority of our employees are transitional or part time, we had a clear security case for achieving full visibility into who is accessing folders in violation of user rights.
That’s a powerful motivator because we had virtually no awareness of who was accessing what information—and whether incidents were benign instances of employees “fat-fingering” passwords (typing the wrong character) or if there was malicious activity under way that could compromise our servers. We didn’t know if we were secure or compliant, or if we were just moments away from a massive data breach.
Another key security consideration rears its head when new systems are brought online. Bertucci’s averages one or two new servers per month, whether part of the standard refresh cycle or recent upgrades we made to our SQL Servers. Either way, configuring each of these systems presents a massive security hole if the configuration isn’t verified before the software is loaded.
So, ultimately, we came to recognize the value of compliance—not for the sake of checking some boxes to keep regulators at bay, but as a catalyst for implementing much-needed security measures. For that reason alone, we developed a fine appreciation for compliance, rather than the feelings of frustration I hear from my peers.