The costs of non-compliance are dreadful, but 100% avoidable. Is investing in compliance as costly as being fined for non-compliance?
The above statistics clear the air and underpins the fact that it’s cheaper to invest in compliance than suffer losses for being non-compliant. That’s the financial standpoint.
And there are other challenges like:
- multiple regulations at local and global levels
- too many systems and platforms that make the IT landscape very complex
- continuous auditing of processes and systems
This turns out to be a tiring activity. On average, there are 13 IT security or privacy regulations that an organization must meet. Moreover, an increase in cloud adoption and digital technologies expose a business to additional regulations. These facts prove that an organization needs a dedicated team equipped with the right tools. A team performing tests and audits without automation tools would drown under a lot of manual compliance work, also known as audit fatigue.
How are cybersecurity and compliance related?
Cybersecurity and compliance are closely linked. Security means having the right tools (software and hardware both) to protect businesses from cyber-attacks. This could mean having firewalls, identity access management tools, endpoint detection and response, email protection, network security, and so on. Compliance means meeting standards set by different regulatory bodies.
Some regulations are region-specific like GDPR in the European region, California Consumer Privacy Act (CCPA) in the United States, Data Protection Act in the United Kingdom, and so on. Industry-specific regulations like Health Insurance Portability and Accountability Act (HIPAA) are enacted for companies handling patient health information. For cloud service providers it is ISO/IEC 27017:2015. There are others like Payment Card Industry Data Security Standard (PCI DSS) which apply to a business that deals with financial data like customer credit card details, bank information, and so on. These are just a few, a company could be swamped with many regulations.
Security and compliance – not security vs compliance
A compliant business is in a better position to protect its systems than a non-compliant one. In a nutshell, security and compliance are means to manage and mitigate business risk better. Both aspects need to be evaluated individually. It’s a possibility that the business could be compliant with required regulations and still have certain areas exposed – where it needs stronger cyber security measures. Therefore, an organization must look at the situation as security and compliance – both, and not just one.
Least GDPR-Ready Business
37% of the business faced data breach losses of more than $500,000
64% of the business faced data breach losses of more than $500,000
79,000 records impacted due to data breach
212,000 records impacted due to data breach
6.4 hours of system downtime
9.4 hours of system downtime
This shows that compliant businesses are better at securing their systems from disruption than less compliant ones.
Compliance - a major driver of customer confidence and trust
Any non-compliant business attracts penalties, but more than that it ends up losing the customer trust. In one of the surveys conducted with security leaders, 21% of them said the largest consequence of a data breach to an organization is losing customer trust.
The other consequences are reputation damage, data loss, regulatory penalties, and revenue losses. Any business with a good data protection policy attracts new customers as they are likely to be trusted more. For similar reasons, compliant businesses can appeal right financers as they’re more inclined to invest in privacy-mature businesses.
There’s another angle to look at. As companies begin their compliance processes journey, they often stumble upon untapped data, which could have huge potential – perhaps in terms of customer insights, innovation, market intelligence, and even operational efficiency.
The brighter side: manage reputation risk through compliance
Reputation risk is increasingly becoming a topic for C-suite level and board to address. Gartner says that by 2024, CEOs will be responsible for data breaches arising out of insufficient data security measures.
One of the surveys published by the World Economic Forum found that executives believe about 25% of the revenues can be attributed to the company’s reputation. If this is true, then security and compliance carry even more weight. One wrong event could potentially escalate things quickly and put reputation and revenues at stake. The world has witnessed companies’ stocks collapse overnight due to negative press coverage of regulatory non-compliance. The good news is that compliance is very much under the company’s control, and one of the easiest ways to manage reputation risk is by getting compliance in order.
How to go about compliance?
You can’t protect what you can’t see. Businesses must take stock of assets first, which means applications, servers, devices, people, and so on. Once they do that, they must identify sensitive data and prioritize protecting it accordingly with data security tools. Companies must evaluate whether they have tools to protect data, can implement the right security controls, and reattribute an effective regulatory compliance strategy. For data that require consent, businesses must identify how and what they want to communicate to the user, where will be the consent recorded, and how easy is it for the user to withdraw the consent. If the data is moving from one location to another, the company must also find a solution to monitor the movement. In an event of a breach, communication with the regulatory agency and customers needs to be considered.
And of course, they need to check which laws are applicable to the region and industry they operate in. For companies dealing with user data of personal nature based in Europe, GDPR laws apply. Personal data could be name, address, passport number, credit card information, etc. This data could also be around race, sexual orientation, political views, and so forth. Once data of such nature is collected, a company must have consent to store and process the data. There are other requirements of GDPR that a company must abide by like: data must not be stored for a longer duration, must be encrypted and anonymized as applicable, and so on. This is just one of the compliances, there are more regulations to manage – where it is natural for companies to feel overwhelmed. Therefore, they need external support.
Where T-Systems can help you
Our expert professionals can help you mitigate the risks. We can support you to define a security strategy that aligns with your business initiatives.
How we can help you:
- assess and manage your security posture
- manage security policies for multi-cloud environments and applications
- assess data privacy and regulatory compliance requirements
- evaluate threat management, identity, and access management
- identify business changes and third-party risks associated
- identify the right tools for automation
T-Systems supports its customers to manage risks and regulatory compliance better. With a pool of experts and experience in assessments and implementations, we are equipped to help you with our advisory and managed services.
Get in touch with us to have a conversation today.