Find out how modern customers look at businesses today from a compliance standpoint, why non-compliance is more than just fines, and how a business can turn compliance into a strategic advantage to win customer trust. In the long run: Why businesses must focus on security and compliance together?
Regardless of how good the product or the service is, customers today need to be assured that their data is safe with companies. Data privacy is more like a hygiene factor than a salient feature. Customers are informed about data safety and privacy. They avoid transacting with a business that has ambiguous or no compliance measures in place. 3 out of 4 people will not buy if they believe their data isn’t protected.
Despite of such strong indicators, companies find it challenging to keep up with compliance norms. As regulations pile up, the costs to be compliant also rise. Since 2011, there’s been a 45% increase in compliance-related operating costs.
Companies need expertise (team and tools) to understand these regulations and abide by them. Naturally, meeting compliance standards is perceived to be exorbitant, kind of paying taxes or spending on insurance.
Since 2008, US banks have faced penalties to the tune of $243 billion. For Europe, the norms are even tighter with General Data Protection Regulation (GDPR) laws. The fines could go as high as €20 million or 4% of worldwide turnover (whichever is higher).
Companies have been penalized for not falling in line – Amazon was fined a record €746 million for data misuse, relating to the cookie consent policy, in 2021. In the last two to three years, other giants like Google, Facebook and WhatsApp have attracted heavy penalties for GDPR norm violations. The list is long, and the point is that the laws are real and not just in theory.
The costs of non-compliance are dreadful, but 100% avoidable. Is investing in compliance as costly as being fined for non-compliance?
The above statistics clear the air and underpins the fact that it’s cheaper to invest in compliance than suffer losses for being non-compliant. That’s the financial standpoint.
And there are other challenges like:
This turns out to be a tiring activity. On average, there are 13 IT security or privacy regulations that an organization must meet. Moreover, an increase in cloud adoption and digital technologies expose a business to additional regulations. These facts prove that an organization needs a dedicated team equipped with the right tools. A team performing tests and audits without automation tools would drown under a lot of manual compliance work, also known as audit fatigue.
Cybersecurity and compliance are closely linked. Security means having the right tools (software and hardware both) to protect businesses from cyber-attacks. This could mean having firewalls, identity access management tools, endpoint detection and response, email protection, network security, and so on. Compliance means meeting standards set by different regulatory bodies.
Some regulations are region-specific like GDPR in the European region, California Consumer Privacy Act (CCPA) in the United States, Data Protection Act in the United Kingdom, and so on. Industry-specific regulations like Health Insurance Portability and Accountability Act (HIPAA) are enacted for companies handling patient health information. For cloud service providers it is ISO/IEC 27017:2015. There are others like Payment Card Industry Data Security Standard (PCI DSS) which apply to a business that deals with financial data like customer credit card details, bank information, and so on. These are just a few, a company could be swamped with many regulations.
A compliant business is in a better position to protect its systems than a non-compliant one. In a nutshell, security and compliance are means to manage and mitigate business risk better. Both aspects need to be evaluated individually. It’s a possibility that the business could be compliant with required regulations and still have certain areas exposed – where it needs stronger cyber security measures. Therefore, an organization must look at the situation as security and compliance – both, and not just one.
GDPR-Ready Business | Least GDPR-Ready Business |
37% of the business faced data breach losses of more than $500,000 | 64% of the business faced data breach losses of more than $500,000 |
79,000 records impacted due to data breach | 212,000 records impacted due to data breach |
6.4 hours of system downtime | 9.4 hours of system downtime |
This shows that compliant businesses are better at securing their systems from disruption than less compliant ones.
Any non-compliant business attracts penalties, but more than that it ends up losing the customer trust. In one of the surveys conducted with security leaders, 21% of them said the largest consequence of a data breach to an organization is losing customer trust.
The other consequences are reputation damage, data loss, regulatory penalties, and revenue losses. Any business with a good data protection policy attracts new customers as they are likely to be trusted more. For similar reasons, compliant businesses can appeal right financers as they’re more inclined to invest in privacy-mature businesses.
There’s another angle to look at. As companies begin their compliance processes journey, they often stumble upon untapped data, which could have huge potential – perhaps in terms of customer insights, innovation, market intelligence, and even operational efficiency.
Reputation risk is increasingly becoming a topic for C-suite level and board to address. Gartner says that by 2024, CEOs will be responsible for data breaches arising out of insufficient data security measures.
One of the surveys published by the World Economic Forum found that executives believe about 25% of the revenues can be attributed to the company’s reputation. If this is true, then security and compliance carry even more weight. One wrong event could potentially escalate things quickly and put reputation and revenues at stake. The world has witnessed companies’ stocks collapse overnight due to negative press coverage of regulatory non-compliance. The good news is that compliance is very much under the company’s control, and one of the easiest ways to manage reputation risk is by getting compliance in order.
You can’t protect what you can’t see. Businesses must take stock of assets first, which means applications, servers, devices, people, and so on. Once they do that, they must identify sensitive data and prioritize protecting it accordingly with data security tools. Companies must evaluate whether they have tools to protect data, can implement the right security controls, and reattribute an effective regulatory compliance strategy. For data that require consent, businesses must identify how and what they want to communicate to the user, where will be the consent recorded, and how easy is it for the user to withdraw the consent. If the data is moving from one location to another, the company must also find a solution to monitor the movement. In an event of a breach, communication with the regulatory agency and customers needs to be considered.
And of course, they need to check which laws are applicable to the region and industry they operate in. For companies dealing with user data of personal nature based in Europe, GDPR laws apply. Personal data could be name, address, passport number, credit card information, etc. This data could also be around race, sexual orientation, political views, and so forth. Once data of such nature is collected, a company must have consent to store and process the data. There are other requirements of GDPR that a company must abide by like: data must not be stored for a longer duration, must be encrypted and anonymized as applicable, and so on. This is just one of the compliances, there are more regulations to manage – where it is natural for companies to feel overwhelmed. Therefore, they need external support.
Our expert professionals can help you mitigate the risks. We can support you to define a security strategy that aligns with your business initiatives.
How we can help you:
T-Systems supports its customers to manage risks and regulatory compliance better. With a pool of experts and experience in assessments and implementations, we are equipped to help you with our advisory and managed services.