Many businesses have to work hard to meet different security compliance standards. From DoD contractors who have to meet NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) to healthcare providers who need to satisfy the Health Insurance Portability and Accountability Act (HIPAA) and retailers that must adhere to Payment Card Industry Data Security Standard (PCI DSS) requirements.
Meeting regulatory compliance standards is a must for any business, regardless of size or industry. But, why should companies work to not only meet basic security requirements, but exceed them?
It has to do with the potential costs of bad security and how they compare to the cost of compliance.
What Is Security Compliance for Businesses?
For a business, security compliance is whatever the organization does to meet the requirements placed on it by various government and industry regulators. This often makes compliance a legal concern for businesses.
It should be noted that security and compliance can be seen as two distinct issues by a business. While compliance with standards (like PCI DSS, GDPR, or CMMC) often requires strong security, it doesn’t guarantee that security will be strong.
Creating truly strong IT security (also known as cybersecurity) may mean going above and beyond the minimum requirements of a compliance standard.
How Much Does Meeting Security Compliance Requirements Cost?
The cost of meeting security compliance requirements can vary greatly from one organization to the next. Some factors that influence the cost of compliance include:
- Organization size;
- Complexity of IT systems;
- Specific technologies used;
- The requirements the company needs to meet; and
- Any new additions or acquisitions made throughout the year.
These variables can have a large impact on the cost of compliance. However, Network World has noted that the “cost of achieving regulatory security compliances is on average $3.5 million each year, according to a survey of 160 individuals leading the IT, privacy and audit efforts at 46 multinational organizations.”
It’s important to note that this is the cost for multinational businesses in one study. Smaller organizations may not have to spend quite as much because they may not be subject to the same rules or may have less complex IT infrastructures to protect.
What Does Bad Security Compliance Cost?
So, what’s the problem with an organization falling short of the data security compliance goals that regulators set for it? Why spend millions on regulatory compliance for security? One reason is the cost of bad security compliance for the business.
Security noncompliance costs can be sorted into two major categories: Direct costs and indirect costs.
Direct Costs of Noncompliance
- Regulatory Fines/Sanctions. When a company is subject to a security compliance regulation administered by a government organization, noncompliance with that regulation often results in fines. The fines for noncompliance can vary from one regulation to the next.
- The Cost of Remediating Security Incidents. Remediating a security incident can be a long and expensive process. Organizations with insufficient security are more likely to have a tougher time eliminating the breach and restoring normal function—which increases the cost of remediation. Plus, they’re more likely to suffer a breach in the first place.
- Audits and Extra Compliance Spending. Some regulatory bodies may require companies to undergo comprehensive compliance auditing and make any necessary additions to close compliance gaps. This can end up adding more in costs than simply getting compliance measures right the first time.
Indirect Noncompliance Costs
- Data Breaches. Research by IBM and the Ponemon Institute states that, worldwide, the average cost of a data breach is about $3.86 million per incident. However, in the USA, the average cost rises to $8.64 million.
- Legal Fees. Organizations that have compliance violations may find themselves facing litigation from not just government entities—but from individuals (or classes) as well. Fighting lawsuits from a security breach arising from a compliance issue can be expensive and time-consuming. Costs can easily exceed hundreds of thousands of dollars over a period of years as motions and counter-motions are filed by the company’s legal team.
- Loss of Business Reputation. Having a reputation for insufficient security can be an enormous burden for any organization. Customers who are security conscious will actively avoid companies that have a bad security rep, which can cause a dip in sales.
- Impacts on Stock Price. Publicly-traded companies may see a dip in their stock price. As noted by CSO Online, after a comparison of companies in the New York Stock Exchange (NYSE) with data breaches of 1 million or more records: “Share prices of breached companies hit their lowest – around 7.3% down – around 14 market days following a breach and underperform the wider NASDAQ by ~4%.”
In short, noncompliance with security standards can cost a business a significant amount of money—easily more than the cost of being compliant in the first place.
For example, assuming the average cost of a data breach in the U.S. ($8.64 million) and compare that to the average annual cost of compliance for a multinational conglomerate ($3.5 million), preventing a single data breach could pay for nearly two and a half years of compliance efforts. This is in addition to any money saved on compliance audits, litigation, and other costs.
Tips for Meeting Key Compliance Standards
So, what can you do to ensure that your business meets its basic compliance requirements and is protected against data breaches or other harmful events? Here are a few basic tips to follow:
1. Get Familiar with the Specific Regulations Governing Your Industry
What are the specific security compliance standards your business needs to follow? Many regulations are industry-specific. For example, companies in the healthcare industry usually have to follow HIPAA, companies wanting to work with the U.S. Department of Defense (DoD) will need to meet CMMC requirements, and almost every company that takes credit card payments needs to satisfy PCI DSS.
The first step in meeting regulatory compliance standards is researching the ones that specifically apply to your business. This is often something that your corporate lawyer should be able to help with—or even a search of “Compliance requirements for (industry name here)” could help a little. Also, it might help to check with the Chamber of Commerce for guidance on what regulations need to be met.
2. Create a Document Listing Your Compliance Gaps
After researching the compliance requirements for your industry, try to put together (or find) a checklist detailing all of the specific requirements you need. Then, check off each item you need and create a list of key compliance gaps that you need to address.
For each compliance gap, create a plan of action & milestones (POA&M) detailing how you will address that gap. This documentation can be a key piece of evidence to share with regulators as they assess your compliance efforts.
3. Look for Assistance from an Experienced Managed Security Service Provider (MSSP)
If you’re ever unsure of what to do next for your security and compliance efforts, it can help to seek out an expert opinion. MSSPs often have years of experience in dealing with compliance issues that they can use to help you identify key needs, security gaps, and efficient solutions for achieving compliance.
For example, say that you need to meet NIST 800-171 compliance requirements. However, there are over a hundred security controls to know and not all of them are simple to address. Here, having an MSSP who knows NIST 800-171 can help you save a lot of time and money on meeting compliance standards.
Do you need help meeting a security compliance standard for your industry? Reach out to the Systems X team today for help and advice!