Hardly any business process today is carried out without IT support. Compliance is no exception at this point. On the contrary, compliance is often a burden on the shoulders of the IT department. To implement all this across hierarchies, professional solutions are required.
Between lack of communication and technical barriers
In every company, compliance should not just be a key word on the fringes, but should actually be clearly defined across all levels and structures and adhered to. Normally, this includes nothing less than a highly complex set of regulations and behaviours. Whether it’s organizational measures, copyrights, license management or transaction analysis, compliance processes apply to all employees without exception, even though they are not applied by everyone to the same extent. The IT department is usually commissioned to carry out these processes, ranging from assigning authorizations in the file system to special applications for compliance processes.
Although IT thus represents an essential interface between employees and company regulations, it often seems to develop a real life of its own. Lack of communication between the departments often leads to the fact that certain connections are not understood and thus the clean execution of the Compliance is neglected.
On the other hand, technical barriers and a lack of or underqualified specialist personnel hinder a profound system analysis. Weak points remain undetected or are not corrected correctly and the entire company becomes vulnerable.
IT compliance vulnerabilities
Information is already lost between individual departments during the simple instruction of regulations. New employees are trained on the side during the full daily workload, other specifications spread through the silent post scheme and are thus falsified or the technical jargon is simply not sufficiently broken down. Even employees who have been working for the company for years miss the connection to innovations if the communication is not always clean and unambiguous.
A still explosive example is the passing on of passwords. Time and again, incidents become known in which employees have not passed on their company passwords to natural persons, but have used them to authenticate services outside the company. As a result, passwords fell into the hands of third parties and were sometimes misused for hacker attacks on the company. One can assume that password compliance was not properly understood here.
Even measures such as the four-eyes principle or detailed logging are only of limited help if employees literally carry company-specific data to the outside world. For example, data carriers such as USB sticks are regularly lost. A similar compliance violation confronted a semiconductor manufacturer with the worst case scenario. Here an employee forgot to perform the prescribed virus scan of a download file and a virus entered the company network. Several company locations were threatened by a total loss of production.
IT Forensics, Infrastructure and Security
Finding and eliminating faults is an essential task of IT forensics. Ideally, however, these can be prevented in principle, for example by appropriate preventive measures. It is equally important to classify which company data is particularly sensitive/safety-critical and thus interesting for external access. Whereas the hackers have so far focused primarily on technical information and payment flows, details of the organizational structure and personnel data of potentially enticable specialists are now regarded as targets for attacks.
In addition, data leaks are repeatedly caused by internal perpetrators, i.e. employees who deliberately or negligently misuse information. This can be the call up of questionable websites via the operating computer or the use of private devices that connect to the company network via WLAN and can thus also infiltrate viruses.
The question of the modus operandi, who did what and when, then consumes IT resources to a large extent when searching for the corresponding data leak. Especially private devices that are wirelessly networked are much more difficult to control than local networks. Even data rooms such as the cloud, external servers and different communication platforms are far too rarely considered in terms of IT forensics.
In summary, this is referred to as shadow IT, i.e. those parts of the IT infrastructure that are not subject to permanent control. The data process is substituted from the USB stick through smartphones to the home office. Employees are used to it and depend not least on having access to functional, comprehensive and high-performance applications at all times.
Integration of compliance solutions
Compliance areas such as employee communication can be solved much better via CPassS than via private messengers. The question of the GDPR alone cannot be sufficiently clarified for offers such as Whatsapp and Co. However, if, for example, a professional SMS gateway provider is used, additional functions such as journal, statistics, budget control and integration via API into the company’s own applications are also covered. This allows security and archiving processes to be implemented sustainably, while minimizing the risk of data leaks.
Chinese companies have once again had to compensate for the fact that a commitment by the government to use data can be an incredibly difficult challenge. The VPN ban in China brought virtual private networks to their knees. Anyone who wants to continue working with virtual private networks must have their VPN licensed from now on. As a result, the otherwise securely encrypted data traffic between different parts of the company is monitored by the state. The confidentiality of data transmission can no longer be guaranteed and it cannot be ruled out that data will be altered.
In order to circumvent these technical barriers as well as not to let already mentioned communication difficulties become weak points, innovative solutions have to be found that integrate IT and compliance equally. The IT department and legal representatives of the company must work even more closely together here. Because the actual question of who is finally responsible for identifying risks and data leaks or who is responsible for remedying them and taking preventive measures still seems unclear in many companies. The situation requires that the departments communicate with each other and standardize the compliance process.