Compliance and IT: Interfaces with weak points

Hardly any business process today works out without IT support. Compliance is no exception. On the contrary, compliance is often a burden on the shoulders of the IT department. To implement all this across hierarchies, professional solutions are required.

Between lack of communication and technical barriers

In every company, compliance should not just be a key word on the fringes, but should actually be clearly defined across all levels and structures and adhered to. Normally, this includes nothing less than a highly complex set of regulations and behaviours. Whether it’s organizational measures, copyrights, license management or transaction analysis, compliance processes apply to all employees without exception, even though they are not applied by everyone to the same extent. The IT department is usually commissioned to carry out these processes, ranging from assigning authorizations in the file system to special applications for compliance processes.

Although IT thus represents an essential interface between employees and company regulations, it often tends to develop a life of its own. Lack of communication between departments often leads certain connections not being understood and thus the clean execution of the Compliance is neglected.

On the other hand, technical barriers and a lack of or underqualified specialist personnel hinder a profound system analysis. Weak points remain undetected or are not corrected properly and the entire company becomes vulnerable.

IT compliance vulnerabilities

Information is already lost between individual departments during the basic instruction on regulations. New employees are trained on the side during the full daily workload, other specifications are spread through the silent post scheme and thus falsified or the technical jargon is simply not sufficiently broken down. Even employees who have been working for the company for years miss the connection to innovations if the communication is not always clean and unambiguous.

still an explosive example is the passing on of passwords. Time and again, incidents become known in which employees did not pass on their company passwords to natural persons, but have used them to authenticate services outside the company. As a result, passwords fell into the hands of third parties and were sometimes misused for hacker attacks on the company. One can assume that password compliance was not properly understood here.

Even measures such as the four-eyes principle or detailed logging are only of limited help if employees literally carry company-specific data to the outside world. For example, data carriers such as USB sticks are regularly lost. A similar compliance violation confronted a semiconductor manufacturer with the worst case scenario. Here an employee forgot to perform the prescribed virus scan of a download file and a virus entered the company network. Several company locations were threatened by a total loss of production.

communication deficits

  • Technical terms are not explained in an understandable way or are not discussed in detail in the course of own research, instructions are not understood or misinterpreted as a result.
  • Employees lack interest in other departments, data is passed on carelessly
  • Regulations are segmented individually for each department instead of being instructed across the board
  • When filling in for a colleague, sufficient training is missing
  • Decentralized, unguided exchange between employees leads to misunderstanding and falsification of information.

technology barriers

  • Private smartphones access the company network via WiFi or digital access and process sensitive data in an untraceable way
  • Data release (e.g. to areas in the network) is made to unauthorized personnel or to employees who are not sufficiently trained.
  • Data carriers such as USB sticks, CDs or hard drives are taken along for private/business purposes and are lost.
  • Upload and download of data is not fully verified, e.g. by virus scanners
  • Unsafe websites are accessed, cookies are enabled or dubious notifications are activated.

right and wrong

  • Copyright/license rights are violated, e.g. in the use of image material or in dealing with social media
  • Critical company information reaches the public despite confidentiality clause / obligation to maintain confidentiality
  • The code of conduct towards customers is not correctly observed (too much goodwill, incorrect information or verbal agreements that cannot be kept).
  • Legal consequences due to errors in the conclusion of contracts, orders and logistical processes
  • Corporate espionage, cooperation with competitors, theft and misuse of data

IT Forensics, Infrastructure and Security

Finding and eliminating faults is an essential task of IT forensics. Ideally, these can be prevented in principle, for example by appropriate preventive measures. It is equally important to classify which company data is particularly sensitive/safety-critical and thus interesting for external access. Whereas hackers have so far focused primarily on technical information and payment flows, details of the organizational structure and personnel data of potentially enticable specialists are now regarded as targets for attacks.

In addition, data leaks are repeatedly caused by internal perpetrators, i.e. employees who deliberately or negligently misuse information. This can be browsing of questionable websites via the office computer or the use of private devices that connect to the company network via WLAN and can thus also infiltrate viruses.

The question of the modus operandi, who did what and when, then consumes IT resources to a large extent when searching for the corresponding data leak. Especially private devices that are wirelessly networked are much more difficult to control than local networks. Even data rooms such as the cloud, external servers and different communication platforms are considered far too rarely in terms of IT forensics.

In summary, this is referred to as shadow IT, i.e. those parts of the IT infrastructure that are not subject to permanent control. The data process is substituted from the USB stick through smartphones to the home office. Employees are used to and dependent to no small amount on having access to functional, comprehensive and high-performance applications at all times.

Integration of compliance solutions

Compliance areas such as employee communication can be solved much better via CPassS than via private messengers. The question of the GDPR alone cannot be sufficiently clarified for services such as Whatsapp and Co. However, if, for example, a professional SMS gateway provider is used, additional functions such as journal, statistics, budget control and integration via API into the company’s own applications are also covered. This allows security and archiving processes to be implemented sustainably, while minimizing the risk of data leaks.

Chinese companies have once again had to compensate for the fact that a specification for the use of data by the government can be an incredibly difficult challenge. The VPN ban in China brought virtual private networks to their knees. Anyone who wants to continue working with virtual private networks must have their VPN licensed from now on. As a result, the otherwise securely encrypted data traffic between different parts of the company is monitored by the state. The confidentiality of data transmission can no longer be guaranteed and it cannot be ruled out that data will be altered.

In order to circumvent these technical barriers as well as not to let already mentioned communication difficulties become weak points, innovative solutions have to be found that integrate IT and compliance equally. The IT department and legal representatives of the company must work even more closely together here. Because the actual question of who is finally responsible for identifying risks and data leaks or who is responsible for remedying them and taking preventive measures still seems unclear in many companies. The situation requires that the departments communicate with each other and standardize the compliance process.

communication solutions

  • cross-team training measures in the form of training courses, workshops, compliance projects
  • Break down instructions comprehensibly for everyone and make them available for reading
  • Effectively design employee communication via CPaaS and in-house devices

IT security

  • Encrypt (especially virtual) networks and Internet access, secure with antivirus software and appropriate programs to prevent internal and external unauthorized access
  • Avoid mobile data carriers, but support mobile access to networks
  • Integrate server and system monitoring to ensure timely alerting of the relevant specialist personnel, for example in the event of suspicious access, error codes or pending system updates.

legal bases

  • Provide and archive sample templates for invoices, purchase orders, etc. in the system
  • Specific, summarised clarification of the legal situation, detailed explanation of technical terms and paragraphs
  • adapt employment contracts accordingly so that jurisdiction and penalties are clearly established
Best Regards
Your sms77 team

Header picture by EtiAmmos via

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

This site uses Akismet to reduce spam. Learn how your comment data is processed.