Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

HIGH PROFILE DATA BREACHES SIGNIFY IMPORTANCE OF PUTTING SECURITY AHEAD OF COMPLIANCE

By Richard Hibbert, CEO, SureCloud

In recent weeks there have been a number of data breach stories here in the UK and in North America.   UK travel insurance provider Staysure revealed that around 93,000 customers may be affected after sensitive bank card details were thought to have been stolen as a result of an IT security breach. At the end of January the US arts and crafts retailer Michaels revealed it was the latest retailer to investigate a possible credit card leak. Other breaches occurred at Neiman Marcus and Target where it is thought that personal data for as many as 110 million customers was leaked.

Richard Hibbert, CEO, SureCloud
Richard Hibbert, CEO, SureCloud

The IT Governance website claims it is clear that in Staysure’s case the organisation was not PCI DSS compliant at the time of the breach because PCI DSS does not allow sensitive authentication data to be stored post authorisation.  A key issue to bear in mind is that PCI DSS compliance only requires a single compliance assessment each year.  The assessment merely represents a snapshot in time, a valid judgment made at a single point during a twelve month period and not a guarantee of compliance the following day. There is plenty of evidence to show that many data breaches occur sometime after a successful PCI DSS audit.

Unfortunately many compliance solutions on the market today are expensive, take a long time to implement and require organisations to completely overhaul their in-house processes.  For this reason many organisations are making do with home-grown systems based on spreadsheets to manage compliance programmes such as PCI DSS. Yet a spreadsheet-based approach has many shortcomings including a lack of central visibility or control over the compliance process, burdening skilled compliance and risk personnel with manual process administration and insufficient insight into trends and anomalies to support business decisions.  In many cases it’s all about the pursuit of compliance for compliance’s sake instead of focusing on making security the first priority.  Data breaches such as those mentioned above highlight that organisations in the 21st century need something better than spreadsheets for managing their security processes.

SureCloud advocates a continuous approach to information security where the primary focus is to improve the security of an organisation’s infrastructure and applications, rather than a “tick box” compliance exercise. A continuous approach to compliance puts controls at the centre of the compliance programme, rather than an annual audit, where control activity is performed and monitored throughout the calendar year. This approach provides real-time visibility of the organisation’s compliance status – the net effect being more merchants incorporating PCI DSS compliance into their business-as-usual (BAU) practices and importantly improving the organisation’s security posture.

About SureCloud®:

SureCloud helps to automate any IT Governance, Risk and Compliance (GRC) process, such as Compliance Audits, Policy Management, Risk Assessments or Third Party Assurance programmes. The SureCloud® Platform supports an agile approach to implementation and per user pricing, dramatically reducing the total cost of ownership. Established in 2006, SureCloud is a British company based in Reading, Berks, with more than 300 customers throughout the UK from the Retail, Financial Services and Government sectors, including a large number of local authorities. For further information please visit www.surecloud.com.