Corporate Compliance – The Struggle Is Real

In my latest blog I want to touch on the world of compliance in technology and hopefully help with the headache of where to begin. ‘Big-tech’ is very much a political focus right now with regulations we have seen enforced such as GDPR and for the foreseeable with regulations on the horizon for things like digital services tax.

Of course, compliance is such a vast topic to tackle, touching on varying industries and technologies, so no doubt this blog will quite literally only scratch the surface.

The Challenge

Workplace Health & Safety, Environmental, Corrupt Practices, Social Responsibility, Quality, Process, Public Relations... the list of risks that a compliance department must take into consideration is endless, as is the rapid growth of law and legislation that applies to the businesses of today.

Amongst an endless list of risk factors Compliance Officers need to identify, there’s also advisory, prevention monitoring, detection and resolution in the mix too. It genuinely astonishes me how a Compliance Officer hasn't made the list of top ten most stressful jobs in 2019.

One area of risk I will focus on in this blog that I haven't yet mentioned is technology. Technology is an ever-expanding realm of risk and complexity, without a doubt becoming a Compliance Officer’s consistent top challenge; privacy, data protection, and GDPR are really just the tip of the iceberg. On top of that add industry specific laws and regulations, global laws and regulations and growing public awareness and political focus on data privacy and cyber security. 

The risk of corporate non-compliance can be huge, ranging from the legal impact such as fines, penalties, imprisonment and product seizures; to the financial impact of the bottom line, share price and future earnings.

Then there’s the business impact in shutdowns, and reputational impact like bad press, social media conversation and loss of trust both employee and consumer. Non-compliance, in some instances, can be enough to see a business owner kiss goodbye to their life's work, leaving all who worked for that company and their families in sometimes dire circumstances.

Those responsible for a business’s compliance truly have a lot on their plate. 

Beginning the Plan

One prime responsibility of a Compliance Officer is to identify risk, and a common way to do that is by carrying out regular risk assessments. The UK Government agency HSE (Health and Safety Executive) states risk needs to be assessed "every time there are new machines, substances and procedures, which could lead to new hazards."

This advice can be extended when it comes to technology. Any kind of risk assessment is only as good as the time it is completed, especially in this ever-changing and ever-growing world of the mobile workforce and cyber threat.

For example, let’s take the recent Checkm8 threat which is a permanent unpatchable bootrom exploit that leaves iOS devices at significant risk to any business that allows their employees to access corporate data on those iPhones/iPads. The risk assessment would need to be readdressed and decisions made on how to mitigate the risk of one of those devices being seized by the wrong hands (or just completely rid the company of iOS…we will save the taboo topic for another time).

Risk assessments apply to technology within a business just as importantly as health and safety and many others already mentioned. Assessments must take place regularly in order to demonstrate that a business is doing everything they can to mitigate risks to the business, thus demonstrating best practice in their approach to compliance.

In saying that, there lies another challenge. Firstly, does a business have the appropriately skilled people within it to conduct the relevant assessments and testing of their technology? Secondly, we refer to insider threat all the time in our industry and this doesn’t differ when it comes to assessing the state of an environment and identifying risk.  

I know personally that every day I do my best to perform to my role and responsibilities but my word, if I miss something or receive some criticism, it hurts; almost feels personal when you know you’ve done your utmost. It is natural human instinct that when your thinking, emotions and actions align to execute a goal, you feel empowered. However, when that goal isn’t quite executed, all those three things become unaligned and it feels almost intolerable in some cases.  

How it is dealt with from there on is to avoid that feeling in some cases provoking an element of dishonesty and non-transparency. That is a risk. Are you sure your personnel are reporting the full picture, even if they may have missed something?

Calling in the Cavalry

Often, a third party is engaged to help where areas of skill are lacking or for complete transparency in order to highlight true risk. Why might you start by engaging a third party?

·      If your internal team haven’t found a certain risk by now, would they have, in enough time to prevent the consequences?

·      Assessments completed by unskilled people can leave gaping holes, with areas that could have been investigated going without investigation and left wide open.

·      Reassurance that the risk assessment has been completed by a true professional that eats, sleeps and breathes what they do for a living and is giving you complete transparency of findings.

·      Importantly sometimes it can also be down to cost. Skilled professionals in information security are not cheap.

There are so many things that are considered before an assessment is even started, so I guess we can refer to this stage more as a getting started guide, all things considered…

How to Identify

As I’ve mentioned already, the first part of risk assessment is always to identify where the risk is. In most cases there will already be some significant measures in place, and it is just a case of uncovering the holes and progressing from there with the relevant remediation. 

Whether you have chosen to engage a third party, or you have the skillset in house, it is important to understand what the current state of affair looks like. Gathering your security specialists, transformation teams, key stakeholders and tying all elements of the business together is key to understanding where you are currently and mitigating risk for what is to come.

At this stage, I feel it is important to note that the people involved in identifying risk and carrying out this risk assessment along the way are familiar with regulations. Some of these may include ISO27001, GDPR, PSN, CESG, NCSC guidance and so on. Just ask the question!

There are so many third parties out there in the market that claim they can help with these types of identity assessments, not all of them as kosher as the other. Look at references, look at who third parties partner with, who they have carried out identity assessments and security assessments for.

These are all good steps to getting started and identifying areas of risk. The correct people, the correct resources and the correct tools.

What Next

Identification done. Where do you go next? As I wrote earlier: advisory, prevention monitoring, detection and resolution. Unfortunately for me, who regularly needs to be reined in from lengthy (and hopefully informative) reams of text, continuing on to the areas of what’s next would push us more into the realms of a 50-page PDF. So, for this blog, I am going to leave it there until next time, where I will aim to look at advising around the next steps.

As always, I am keen on feedback and fortunate enough to be one of those people that can realign the thinking, emotions and actions to come back and rethink outside of the box! So, don’t worry, you won’t shatter me with your criticism! I would love to hear your thoughts and have some conversation surrounding this topic. As always, I am also here for advice should you wish to reach out.

E: [email protected]

T: 0737 5225 365