In 2018, 61 percent of IBM i organizations are required to comply with a compliance mandate of some kind, from PCI DSS and GDPR to smaller, local regulations. After years of record-breaking data breaches, regulations aimed at protecting sensitive data are on the rise. (New York’s Cybersecurity Regulation is just one example.)
Organizations with a compliance requirement in place have, on average, 3.66 IBM i security solutions in place—that’s twice as many solutions as the organizations that have no mandate.
Of course, having a software solution in place isn’t a magic bullet when it comes to securing your systems. But it’s much harder to secure your systems when you’re relying on manual strategies that are labor-intensive and prone to human error.
Compliant Doesn’t Equal Secure
Our position at HelpSystems has always been that achieving compliance isn’t the same thing as maintaining security. The survey results don’t change that, but they do add some color around the topic.
Compliance requirements vary in their goals and requirements. PCI DSS is quite different from SOX’s IT requirements, for example. But generally, compliance mandates prescribe security best practices that help organizations protect their data and IT resources.
We’ll add the caveat that it’s possible to do the bare minimum necessary to pass an audit—and still leave your systems vulnerable. This is especially true if the auditor is unfamiliar with IBM i.
And it’s not as if the organizations with a compliance mandate have implemented all the best-practice security controls. More than half of all survey takers (including 52 percent who have a mandate) have no plans to implement anti-virus protection, despite the increase in malware and ransomware attacks in 2017.
There’s room for improvement for most organizations, but the IBM i Marketplace Survey clearly shows that compliance mandates are correlated with greater investments in data protection. Compliant isn’t the same as secure, but there is a relationship between the two.
Don’t Get Left Behind
Organizations that neglect cybersecurity often pay a steep price. The average cost of a data breach was over $3 million in 2017. The final total might not be clear until years after the breach was discovered. (Target’s 2013 breach is a perfect example.)
Many organizations mistakenly believe they’re safe from attacks because no one targets IBM i (not true) or because attackers are aiming for bigger targets (also not true). Attackers look for the path of least resistance. In 2017, 61 percent of SMBs said had experienced a cyberattack in the previous 12 months.
Compliance mandates aren’t a panacea for data breaches. Many organizations facing a compliance mandate have not yet implemented all the security controls required by that mandate, according to the IBM i Marketplace Survey.
Mandate or no, you can put your organization in a better position to resist attacks by devoting regular attention and resources to cybersecurity. That might include implementing commercial-grade solutions, educating your team on IBM i security best practices, or getting professional help with your security projects.
Make Incremental Improvements
IBM i security is too big a project to tackle everything at once, but small steps forward can have a big impact. If you’re looking for a place to start, we have a few cost-effective (free!) recommendations that have helped other IBM i professionals:
Get a Security Scan: You can’t improve your security posture if you don’t know where the problems are. A free, no-obligation Security Scan from HelpSystems will show you where your systems are at risk and help you prioritize corrective action. Assessing your security configuration is so important that most compliance mandates require an objective assessment like this. Your Security Scan also includes a report summarizing the results, which you can save for your records and share with others at your organization.
IBM i Security Education: IBM i is one of the most securable platforms around, but only if you maintain a secure configuration. Learn more about what a secure configuration looks like and what vulnerabilities are most common in the annual State of IBM i Security Study. Another option is to join our Getting Started with IBM i Security e-course, which covers six key areas of IBM i security.
Initiate Security Conversations: We often hear that executives don’t understand how important IBM i is for day-to-day business until a problem arises. You don’t want something to go wrong on your watch, so be proactive. Frame IBM i security in terms of risk to your organization.
Whether your organization is subject to a compliance requirement or not, protecting your data and IT resources is critically important to your organization’s future. We all need to be thinking about cybersecurity—not just those organizations in regulated industries.