Why Compliance Doesn’t Equal Security

by: Devin Olsen

One of the worst mistakes a business leader can make is believing that compliance equals security. 

There are many examples of this, but the most egregious often relate to password requirements. Nothing about an eight character password makes a system secure. In fact, in many ways, even the standard “complex password” has been made irrelevant. With a modern graphics card, password-cracking programs like John the Ripper, Hydra, and Hashcat can crack an eight-character password with numbers, upper and lowercase letters, and symbols in 39 minutes. Remove just one of those elements (and most password requirements only hit three out of the four) and that time drops to just seven minutes. 

Social engineering is another reason why compliance does not guarantee security. A password alone cannot protect an organization from social engineering without compensating controls, such as multi-factor authentication (MFA). A bad actor just needs to convince one employee that they are a legitimate member of the IT team and they have access to your company. No amount of standardized security training can safeguard an entire organization against all avenues of social engineering, whether it’s via email, voice, text, or even physical impersonation.

So why do many top executives feel this false sense of security?

In many cases, leaders simply don’t understand that many frameworks, like HIPAA for healthcare organizations and PCI-DSS for the payment card industry, weren’t written to create secure environments; they were written to provide a baseline of minimum standards. Security must be built on top of compliance—not established through it.

Other times, leaders are just lazy and look for simple answers when there aren’t any. It can be tough to balance security and function, but many companies just want to save money, rather than take the time to establish a robust security posture. They do this by meeting the minimum requirements to check off the boxes—and they pay for it later with loss of data, reputation, and customers.

What should organizations do instead?

At the organizational level, frequent and hands-on security training is key, and that should include discussions about choosing secure passwords. In general, the longer the password, the better off it is. The time it takes to crack a password increases exponentially as more characters are added. In fact, the best password is actually a passphrase—something personal to the individual, so it’s easy to remember, but it has at least 16 characters and preferably includes all four complexity markers (upper and lowercase letters, numbers, and symbols). 

Even better than choosing a secure password: using a password manager and turning on multi-factor authentication. In the wake of the recent LastPass hack, however, it’s more important than ever to research your chosen solution and ensure they have a robust security posture themselves before rolling out their product company-wide.

Remember: The most likely method for a bad actor to gain access is through lost or stolen credentials, and the easiest avenues for that are social engineering and easy-to-crack credentials. Developing hands-on security training, implementing MFA, and requiring the use of a password manager are three easy steps organizations can take to empower employees and greatly minimize the risk of a breach.

Are you ready to learn how BARR can help you simplify the path to security and compliance? Contact us today to meet with a BARR associate.

About the Author

Devin Olsen
Associate Consultant, Attest Services

As an Associate Consultant, Devin Olsen supports the planning and execution of cyber risk engagements, including information technology audits and risk assessments for clients in various highly regulated industries.

Devin is a recent graduate of Western Governors University with a bachelor’s degree in cybersecurity and information assurance. He brings five plus years of prior experience as an instructor for special education. His interests include cloud security, digital forensics, as well as governance, risk management, and compliance.