9. Spending unthinkingly wastes resources you might need for important threats
Another compliance-related security trap that companies frequently fall into is spending the same effort or expense to protect IT systems with wildly different levels of importance to their organization's security and success, Rothman said.
"Some people make the mistake of treating all security issues equally, and spend the same amount of time and money defending an old application that only five people use that they spend on an online application used by all of their customers," he said.
That approach not only wastes money, but it also can leave more important problems to later consideration -- or maybe none at all, once the budget has dried up. "Security people often don't know how to prioritize," Rothman said. "They should look at what happens if something specific breaks and look at how to drive spending from there."
10. Don't save the wrong data
In another common scenario that spells disaster for both security and compliance interests, many companies that process credit and debit cards inadvertently leave transaction logging systems on that store account information. This logging can lead to customer data breaches and PCI (Payment Card Industry) audit failures.
"Naturally, they don't realize they are storing the data a hacker or malicious employee would need to create fake plastic credit cards," said Symantec's Roop. "This is the cardinal sin of PCI compliance. We actually saw this example at a [recent] prospect. It is a big land mine that most likely will result in a failed PCI audit."
Even companies not collecting card data need to make sure that they only save the information they actively need to do business, Roop said. Keeping anything on hand that could be misused by attackers without a clear need to store that data is asking for trouble, he advised. And if it must be retained, then be sure to build a protection method for it as well.