Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/12/2017
04:52 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Compliance: The Less You Spend the More You Pay

The costs of complying with data protection requirements are steep, but the costs of non-compliance are even higher, a new study shows.

Like the old saying about an ounce of prevention being better than a pound of cure, complying with data protection requirements can be expensive, but the financial consequences of non-compliance can hurt a lot more.

Research firm Ponemon Institute recently interviewed 237 individuals from 53 multinational organizations on the economic impact of their compliance-related activities.

The study, sponsored by Globalscape, looked at the costs that organizations have incurred or are incurring in meeting the requirements of mandates such as the EU General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI-DSS)and Healthcare Information Portability and Accountability Act (HIPAA). The results were then compared with the findings from a 2011 Ponemon survey on the same topic. The differences were stark and telling.

Average costs of compliance have increased 43%, from around $3.5 million in 2011 to just under $5.5 million this year, while non-compliance costs surged from $9.4 million to $14.8 million during the same period.

On average, organizations that are found non-compliant with data protection obligations these days can expect to fork out at least 2.71 times more money getting into and proving compliance than if they had been compliant in the first place. Overall, non-compliance costs for organizations in the study ranged from $2.2 million at the low end to over $39 million at the high-end.

The findings are important at a time when many organizations are under pressure to meet various compliance objectives. One of the most pressing among them is GDPR, which will begin enforcement actions in May. A surprising 90% of the participants in the Ponemon studied pointed to GDPR as being the most difficult regulation to meet. A previous study this year by Dimensional Research shows that many organizations—regardless of size—expect to spend north of $1 million on GDPR compliance. More than eight in 10 expect to spend at least $100,000.

For the latest study, the Ponemon Institute considered expenses related to activities such as data protection and enforcement, audits and assessments, policy development, and training when calculating compliance costs. Non-compliance costs included those associated with business disruption and related productivity losses, fines, penalties, and settlement costs.

"The overall cost of compliance versus non-compliance was surprising," says Peter Merkulov, chief technology officer at Globalscape. The delta between the two numbers underscores the need for enterprises to be vigilant about protecting data, he says. "The repercussions of not doing so are clearly pretty damaging from a cost perspective."

Larry Ponemon, founder of the Ponemon Institute, adds that a data breach is not the only time non-compliance becomes an issue. "In our model, a data breach is a major source of non-compliance cost, but there are a lot of other reasons non-compliance can become an issue for an organization," he says.

A cloud vendor that provides services to federal agencies, for instance, is obligated to ensure that government data doesn't end up in the hands of unauthorized people. A vendor that fails the contract and gets discovered can face a lot of issues, including fines and mandated workflow changes, even though no data breach was involved. Another example would be a security exploit that results in a denial of service. "You don’t actually lose data here, but you basically suffer a cost because you lack availability and a lot of downtime, and that’s where you can see revenue losses," Ponemon says.

For most enterprises, the cost associated with buying and deploying data security and incident response technologies account for a bulk of their compliance-related expenditure. On average, organizations in the Ponemon and Globalscape survey spent $2 million on security technologies to meet compliance objectives. The study found that businesses today are spending on average about 36% more on data security technologies and 64% more on incident response tools compared to 2011.

Indirect costs, such as those associated with administering a compliance program - everything from building the architecture and governance process to the salaries of people in charge of compliance, internal audits, and assessments - can add up. On average, such costs make up for 40% of compliance expenditures, while direct costs such as payments to consultants and auditors typically account for another 32%. Opportunity costs - which include things like an organization's inability to execute a business initiative because of compliance concerns - accounted for the remaining 28% in the study.

Financial companies tend to spend a lot more - $30.9 million annually - on compliance initiatives than entities in other sectors. Organizations in the industrial sector and energy/utilities sector also have relatively high compliance-related expenses of $29.4 million and $24.8 million respectively annually.

Industries that tend to collect, store, and share some of the most sensitive data, generally tend to have higher compliance costs, Merkulov says. "It would only make sense that they would need to comply with more complex regulations and put more proactive measures in place to protect and manage this data." Transportation, technology, and healthcare are also high on the list for similar reasons.

On the other end of the scale in the Ponemon and Globalscape study were media companies, with $7.7 million in compliance costs annually.

Unsurprisingly, larger enterprises spend more on compliance - and non-compliance - than smaller organizations. But, companies with less than 5,001 employees tend to have substantially higher per-employee costs compared to organizations with large headcounts.

Generally, organizations with effective security programs, that spend more per employee on compliance efforts, tend to spend less on costs related to non-compliance.

The same was true of centralized governance and audits as well. Enterprises that have a centralized data governance program and conduct more regular audits generally end up spending less on compliance costs than others, the report showed.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dromara Partners
50%
50%
Dromara Partners,
User Rank: Apprentice
12/14/2017 | 2:56:22 PM
Excellent content Jai
Excellent work Jai.  The example of the cloud provider serving Federal Agencies was an excellent use case for something that can occur beyond a data breach.  The impact of that type of event can also create an immediate impact on current & future revenue streams, harm the reputation of the supplier across multiple agencies and the increase required investment to regain the trust of a customer base that is very hard to get close to.
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12216
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12217
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c.
CVE-2019-12218
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12219
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.
CVE-2019-12220
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.