Make Sure You Don't Have Your SOX on Backwards
Back in 2002, Congress passed SOX with the best of intentions. It was meant to protect shareholders and the economy at large from the widespread effects of fraudulent corporate behavior. However, this act may also be placing fairly strenuous demands on your customers’ business. Aside from playing a role in the financial elements of your business, SOX is also a major factor you must consider where the IT side of things is concerned as well. Being caught out of compliance could mean your company ends up vulnerable to malicious actions from those outside of or even within your own walls.
What Is SOX?
As we mentioned at the beginning, SOX was a legislation passed by Congress back in 2002. It’s short for Sarbanes-Oxley, the two Congressmen who drafted the bill (Paul Sarbanes and Michael Oxley).
The bill itself demands that any publicly traded company must comply with the requirements of the act. In general, these demands are centered on accountability and corporate governance.
In the years leading up to 2002, the country had been shocked over and over again to find that many corporations seemingly weren’t even trying to do right by their shareholders, look out for the best interest of their customers, or even follow the law. Instead, companies like WorldCom, Enron and Tyco acted recklessly in the pursuit of illegal profits, leaving a wake of destruction behind them.
One of the many byproducts of these scandals was that investor confidence took a big hit. Obviously, no one wanted to get near many American businesses if they thought that these companies would take their money and do whatever pleased them.
While corporate governance was definitely an important reason behind the support for SOX, the IT side of things was also quite influential. Under SOX, corporations must follow certain rules regarding electronic storage of company records. By doing so, if the worst should happen, these businesses will have a digital trail showing what led up to any catastrophes. This will also make it possible for Congress to hold the company accountable for any wrongdoing.
Not only must companies comply with SOX by keeping these records, they must regularly report back that they are doing everything necessary to maintain compliance. On top of that, a third-party auditor must do the same.
Kinds of Company Affected by SOX
Again, any company based in the U.S. that is publicly traded must conform to the regulations of the SOX Act. Unfortunately, this even includes smaller businesses—those that are public, but not the Fortune 500 companies most of us tend to think of.
Many private companies have begun adopting SOX as guidelines too. There could be a number of reasons for doing so. One is simply that it will help them keep better records of their own performance. Of course, even private companies can have shareholders, meaning it’s possible they’ve implemented it to look out for their investments. Others may be trying to prepare for a future when it’s possible that SOX will be mandatory for any company doing business in the United States. Keep in mind that the IT portion of SOX also means more than just keeping accurate records on hand. Most experts agree that companies must also be diligent in keeping this data safe from outside parties, which means strong passwords and two-factor authentication are necessary. To be clear, this isn’t actually written out in the legislation, but implied strongly enough that it would be worth investing in.
Why Those Companies Need Stronger Authentication/Password Management
The need for stronger authentication and password management for companies operating under SOX should be fairly obvious. Storing all this critical information may be a challenge, but it probably doesn’t feel like something to be too nervous about when you just assume some regulators will be perusing it from time to time.
What if someone else were to get their hands on that data though? What if a competitor, foreign government or simple hacker somehow got to that treasure trove you’ve been diligently creating all these years?
Simple password protection is just no longer an option. Malicious parties now have the software necessary to break through that kind of protection like it wasn’t even there to begin with. Unfortunately, more and more companies have had to learn this the hard way.
Potentially more terrifying is the fact that many of these parties don’t even need software that relies on brute force to get to your vital information. Instead, they’ll prey on your employees. If your company is publicly traded, chances are that it has enough employees that the numbers game will eventually pay off for a hacker looking to find the right candidate. When they do, all they may need to do is phish some sensitive information from them and that will be it.
Risks of “Putting off” Compliance
There is no upside to putting off compliance with SOX. It’s like thinking you can simply never pay your taxes. Sooner or later, you will land in trouble with the authorities. Your business may potentially go under as well. That’s also the best case scenario. The worst would be that some third-party realizes you’re not protecting your sensitive data well enough and using it for their own benefit.
It’s also essential that you don’t mistakenly think SOX compliance is something you can just do overnight. It’s not as though you simply install the requisite software and move on.
At the end of the day, Sarbanes-Oxley is the law, meaning you need to make it a part of your business ASAP. Aside from that, though, putting off compliance will also leave your company open to malicious parties you wouldn’t want in possession of your sensitive data.