Why Compliance Doesn’t Equal Security

Originally published by BARR Advisory.

Written by Devin Olsen, Associate Consultant, Attest Services, BARR Advisory.

One of the worst mistakes a business leader can make is believing that compliance equals security.

There are many examples of this, but the most egregious often relate to password requirements. Nothing about an eight character password makes a system secure. In fact, in many ways, even the standard “complex password” has been made irrelevant. With a modern graphics card, password-cracking programs like John the Ripper, Hydra, and Hashcat can crack an eight-character password with numbers, upper and lowercase letters, and symbols in 39 minutes. Remove just one of those elements (and most password requirements only hit three out of the four) and that time drops to just seven minutes.

Social engineering is another reason why compliance does not guarantee security. A password alone cannot protect an organization from social engineering without compensating controls, such as multi-factor authentication (MFA). A bad actor just needs to convince one employee that they are a legitimate member of the IT team and they have access to your company. No amount of standardized security training can safeguard an entire organization against all avenues of social engineering, whether it’s via email, voice, text, or even physical impersonation.

So why do many top executives feel this false sense of security?

In many cases, leaders simply don’t understand that many frameworks, like HIPAA for healthcare organizations and PCI-DSS for the payment card industry, weren’t written to create secure environments; they were written to provide a baseline of minimum standards. Security must be built on top of compliance—not established through it.

Other times, leaders are just lazy and look for simple answers when there aren’t any. It can be tough to balance security and function, but many companies just want to save money, rather than take the time to establish a robust security posture. They do this by meeting the minimum requirements to check off the boxes—and they pay for it later with loss of data, reputation, and customers.

What should organizations do instead?

At the organizational level, frequent and hands-on security training is key, and that should include discussions about choosing secure passwords. In general, the longer the password, the better off it is. The time it takes to crack a password increases exponentially as more characters are added. In fact, the best password is actually a passphrase—something personal to the individual, so it’s easy to remember, but it has at least 16 characters and preferably includes all four complexity markers (upper and lowercase letters, numbers, and symbols).

Even better than choosing a secure password: using a password manager and turning on multi-factor authentication. In the wake of the recent LastPass hack, however, it’s more important than ever to research your chosen solution and ensure they have a robust security posture themselves before rolling out their product company-wide.

Remember: The most likely method for a bad actor to gain access is through lost or stolen credentials, and the easiest avenues for that are social engineering and easy-to-crack credentials. Developing hands-on security training, implementing MFA, and requiring the use of a password manager are three easy steps organizations can take to empower employees and greatly minimize the risk of a breach.