It has now been determined that 43% or organisations have been reported to the ICO, & that this increased IT compliance element is taking up IT security budgets. Focus has been on 3rd party data rather than the company’s own assets.
A majority (58%) of businesses believe that compliance requirements are a ‘barrier’ to moving into new markets, says new research revealed in the 2020 Cyber Report.
Also observed is that businesses are finding it very hard to deal with the growing number of compliance requirements, & this is leading to retarded growth.
In the study’s findings, half (51%) of those canvassed replied that they spend at least 40% of their IT security budgets on data protection & security compliance.
The same number refer to the work costing them as much as 20,000 hours of resource per annum.
Andy Barratt, who is UK MD of cyber-security consultancy Coalfire, explained “Being compliant is not the same as being secure and an over-focus on meeting regulations drives certain behaviours that don’t always help address the specific cyber-threats a business faces.
“Regulations typically focus on the resources a firm uses that are owned by external stakeholders – card data, personally identifiable information, for example.
“Protecting one’s own assets is another, just as important, focus that firms have limited time & money to invest in thanks to the increasingly demanding compliance regimes they have to maintain.”
The so-called ‘siloed’ approach to compliance that does not maximise efficiency or produce solutions that serve the business’s wider objectives is ultimately moving investment away from security, he further went on to say.
“IT teams need to start thinking differently about compliance & align these efforts more closely with their company’s wider strategic objectives if they are to enable growth & effectively manage cyber risk.”
Circa three-quarters (70%) of firms say they have to manage an absolute minimum of 5 different compliance projects at any one time, whilst a few (7%), must work on 50 or more.
‘The burden of compliance has already become unsustainable for a lot of businesses’, Barratt commented.
He also flagged-up sensitivity towards data privacy issues that vastly increased as GDPR was brought in.
Cyber-security standards have changed dramatically from point-in-time reviews to ‘continuous, outcome-based processes.
“The post-Covid-19 economy is going to force businesses to be leaner & more efficient operationally & firms can’t afford to spend time & money on activity that isn’t furthering their commercial ambitions,” Barratt further observed.
“IT teams need to start thinking differently about compliance & align these efforts more closely with their company’s wider strategic objectives if they are to enable, rather than inhibit, growth in the future.”
This survey also included over 100 prominent IT & security executives who represented industries including technology, financial services, manufacturing, healthcare & govt.
Coalfire’s report, Compliance in the Era of Digital Transformation, shows how public & private sector organisations are adapting themselves to address the ever-growing burden of IT compliance.
The principal findings are:
- More than 51% are spending 40% or more of their IT security budgets on compliance.
- Almost 60% of companies view compliance as a barrier to enter new markets.
- A change in cyber standards from point-in-time assessments to continuous, outcome-based compliance requirements.
- Some 66% indicate that technology with automation, ongoing visibility, & coordinated assessments are now critical to compliance transformation & reducing audit fatigue & total cost of compliance.
Coalfire worked with global technology analyst consultancy, Omdia, to research the impact of cyber compliance in the first quarter of 2020.
It examined at how public & private sector organisations are managing risk through the perspective of growing compliance demand.
Alan Rodger, Senior Analyst at Coalfire’s research partner Omdia, added “Despite the exponential growth in compliance obligations, our research shows that positive business & security outcomes are possible.
“By adopting new best practices, some organisations are reporting 40 to 50% compliance resource savings, and many are using their improved security posture as a competitive differentiator.”
107 Leading Officers
The survey also included 107 leading officers, directors, & managers worldwide in the fields of IT, compliance, & risk management.
In addition, separate research discovered that 43% of IT decision-makers had admitted that their organisation had been reported to the ICO since GDPR came in.
Also, it was noticed there was an increase in the implementation of encryption & endpoint control since GDPR was enforced.
The research, from Apricorn – a manufacturer 256-bit AES XTS hardware-encrypted USB drives, examined how organisations have changed their attitudes & approaches to cyber-security since GDPR was introduced.
A full quarter of IT decisions-makers said they had notified the ICO of a breach or potential breach within their organisation.
21% have had a breach or a potential breach reported by others.
Over 160,000 breach notifications have been made to the data supervisory authorities in the European Economic Area (EEA) since GDPR came into effect, concluded a data breach survey by law firm DLA Piper, running up to the end of Jan. 2020.
Jon Fielding, Apricorn MD EMEA, commented “The fact that so many businesses are now choosing to notify of a potential breach is positive, but likely precautionary to avoid falling foul of the requirements and any significant financial or reputational ramifications.”
Almost all who replied (94%) commented that their organisation has a policy that formally requires encryption of all data held on removable media.
Of those organisations that encrypt all data held on removable media, over half (57%) hardware encrypt all information as standard on all removable media.
“The wide variety of options for encryption deployment can be intimidating, & companies haven’t been using it effectively,” Fielding further added.
“Organisations are now beginning to recognise the importance of endpoint hardware encryption and the need to implement & enforce policies to protect corporate data, ensure compliance with data protection regulations, & reduce the potential for a data breach.”
42% said they allowed only corporate IT provisioned/approved devices for any remote working – a large rise compared with 12% in 2019, highlighting a positive shift in focus towards endpoint control.
Fielding then added: “it’s clear that GDPR is finally having some impact, but businesses need to recognise that compliance is on-going & they should continue to enforce and update all policies.
“Equally, more needs to be done in terms of employee awareness & education if they want to reduce the risk of a data breach, particularly given the increase in data moving beyond the corporate network.”
Further main findings:-
- Nearly 4 in 10 (39%) have noticed an increase, & their organisation now requires all data to be encrypted.
- No further plans to expand encryption on USB sticks (38%), laptops (32%), desktops (37%), mobiles (31%) & portable hard drives (40%).
- Over data breaches, over a third (35%) said that damage to the brand and reputation of the business is their main concern, financial costs for incident response & clean-up (28%), loss of customer trust (18%) & financial costs resulting from a fine (12%).
- Employees unintentionally putting data at risk remains the leading cause (33%) of a data breach, with lost or misplaced devices now the second biggest cause (24%), & third parties mishandling corporate information not far behind (23%).
This Apricorn research was conducted in March by Censuswide.
Included were 100 UK IT decision-makers (CIOs, Heads of IT, IT Directors, Senior IT Managers etc.) from enterprise organisations (1000+ employees) within the financial services, IT, manufacturing, business & professional services sectors.
Fascinating research indeed!