Shadow IT

Compliance is more than avoiding fines

Why must businesses focus on cybersecurity and compliance together, and how compliance can turn into an advantage 

May 11 2023Dheeraj Rawal

What’s in the blog

Find out how modern customers look at businesses today from a compliance standpoint, why non-compliance is more than just fines, and how a business can turn compliance into a strategic advantage to win customer trust. In the long run: Why businesses must focus on security and compliance together? 

Modern customers demand data safety and privacy

business people point at digital security lock

Regardless of how good the product or the service is, customers today need to be assured that their data is safe with companies. Data privacy is more like a hygiene factor than a salient feature. Customers are informed about data safety and privacy. They avoid transacting with a business that has ambiguous or no compliance measures in place. 3 out of 4 people will not buy if they believe their data isn’t protected. 
Despite of such strong indicators, companies find it challenging to keep up with compliance norms. As regulations pile up, the costs to be compliant also rise. Since 2011, there’s been a 45% increase in compliance-related operating costs. 
Companies need expertise (team and tools) to understand these regulations and abide by them. Naturally, meeting compliance standards is perceived to be exorbitant, kind of paying taxes or spending on insurance. 

But non-compliance is riskier 

Since 2008, US banks have faced penalties to the tune of $243 billion. For Europe, the norms are even tighter with General Data Protection Regulation (GDPR) laws. The fines could go as high as €20 million or 4% of worldwide turnover (whichever is higher). 
Companies have been penalized for not falling in line – Amazon was fined a record €746 million for data misuse, relating to the cookie consent policy, in 2021. In the last two to three years, other giants like Google, Facebook and WhatsApp have attracted heavy penalties for GDPR norm violations. The list is long, and the point is that the laws are real and not just in theory. 

Eventually, compliance is more affordable than non-compliance

The costs of non-compliance are dreadful, but 100% avoidable. Is investing in compliance as costly as being fined for non-compliance?

The above statistics clear the air and underpins the fact that it’s cheaper to invest in compliance than suffer losses for being non-compliant. That’s the financial standpoint.
And there are other challenges like:

  • multiple regulations at local and global levels
  • too many systems and platforms that make the IT landscape very complex
  • continuous auditing of processes and systems

This turns out to be a tiring activity. On average, there are 13 IT security or privacy regulations that an organization must meet. Moreover, an increase in cloud adoption and digital technologies expose a business to additional regulations. These facts prove that an organization needs a dedicated team equipped with the right tools. A team performing tests and audits without automation tools would drown under a lot of manual compliance work, also known as audit fatigue. 

How are cybersecurity and compliance related?

Cybersecurity and compliance are closely linked. Security means having the right tools (software and hardware both) to protect businesses from cyber-attacks. This could mean having firewalls, identity access management tools, endpoint detection and response, email protection, network security, and so on. Compliance means meeting standards set by different regulatory bodies.

Some regulations are region-specific like GDPR in the European region, California Consumer Privacy Act (CCPA) in the United States, Data Protection Act in the United Kingdom, and so on. Industry-specific regulations like Health Insurance Portability and Accountability Act (HIPAA) are enacted for companies handling patient health information. For cloud service providers it is ISO/IEC 27017:2015. There are others like Payment Card Industry Data Security Standard (PCI DSS) which apply to a business that deals with financial data like customer credit card details, bank information, and so on. These are just a few, a company could be swamped with many regulations.

Security and compliance – not security vs compliance

A compliant business is in a better position to protect its systems than a non-compliant one. In a nutshell, security and compliance are means to manage and mitigate business risk better. Both aspects need to be evaluated individually. It’s a possibility that the business could be compliant with required regulations and still have certain areas exposed – where it needs stronger cyber security measures. Therefore, an organization must look at the situation as security and compliance – both, and not just one.

GDPR-Ready Business

Least GDPR-Ready Business

37% of the business faced data breach losses of more than $500,000

64% of the business faced data breach losses of more than $500,000

79,000 records impacted due to data breach

212,000 records impacted due to data breach

6.4 hours of system downtime

9.4 hours of system downtime

This shows that compliant businesses are better at securing their systems from disruption than less compliant ones.

Compliance - a major driver of customer confidence and trust

Any non-compliant business attracts penalties, but more than that it ends up losing the customer trust. In one of the surveys conducted with security leaders, 21% of them said the largest consequence of a data breach to an organization is losing customer trust. 
The other consequences are reputation damage, data loss, regulatory penalties, and revenue losses. Any business with a good data protection policy attracts new customers as they are likely to be trusted more. For similar reasons, compliant businesses can appeal right financers as they’re more inclined to invest in privacy-mature businesses.
There’s another angle to look at. As companies begin their compliance processes journey, they often stumble upon untapped data, which could have huge potential – perhaps in terms of customer insights, innovation, market intelligence, and even operational efficiency.

The brighter side: manage reputation risk through compliance

Reputation risk is increasingly becoming a topic for C-suite level and board to address. Gartner says that by 2024, CEOs will be responsible for data breaches arising out of insufficient data security measures.
One of the surveys published by the World Economic Forum found that executives believe about 25% of the revenues can be attributed to the company’s reputation. If this is true, then security and compliance carry even more weight. One wrong event could potentially escalate things quickly and put reputation and revenues at stake. The world has witnessed companies’ stocks collapse overnight due to negative press coverage of regulatory non-compliance. The good news is that compliance is very much under the company’s control, and one of the easiest ways to manage reputation risk is by getting compliance in order.

How to go about compliance?

You can’t protect what you can’t see. Businesses must take stock of assets first, which means applications, servers, devices, people, and so on. Once they do that, they must identify sensitive data and prioritize protecting it accordingly with data security tools. Companies must evaluate whether they have tools to protect data, can implement the right security controls, and reattribute an effective regulatory compliance strategy. For data that require consent, businesses must identify how and what they want to communicate to the user, where will be the consent recorded, and how easy is it for the user to withdraw the consent. If the data is moving from one location to another, the company must also find a solution to monitor the movement. In an event of a breach, communication with the regulatory agency and customers needs to be considered.

And of course, they need to check which laws are applicable to the region and industry they operate in. For companies dealing with user data of personal nature based in Europe, GDPR laws apply. Personal data could be name, address, passport number, credit card information, etc. This data could also be around race, sexual orientation, political views, and so forth. Once data of such nature is collected, a company must have consent to store and process the data. There are other requirements of GDPR that a company must abide by like: data must not be stored for a longer duration, must be encrypted and anonymized as applicable, and so on. This is just one of the compliances, there are more regulations to manage – where it is natural for companies to feel overwhelmed. Therefore, they need external support.

Where T-Systems can help you

Our expert professionals can help you mitigate the risks. We can support you to define a security strategy that aligns with your business initiatives.

How we can help you:

  • assess and manage your security posture
  • manage security policies for multi-cloud environments and applications
  • assess data privacy and regulatory compliance requirements
  • evaluate threat management, identity, and access management
  • identify business changes and third-party risks associated
  • identify the right tools for automation

T-Systems supports its customers to manage risks and regulatory compliance better. With a pool of experts and experience in assessments and implementations, we are equipped to help you with our advisory and managed services.


You might also be interested in

About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles

We look forward to your opinion

Do you have any ideas, suggestions, or questions on this topic? We cordially invite you to exchange ideas with us. Get in touch with us!
Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.