Cybersecurity compliance still not a priority for businesses, IBM survey finds
In recent years, the most consistent data point in the IBM i Market Survey Results is the perennial threat to cybersecurity, and this year was no exception. It showed that 62% of organizations rank cybersecurity as a number one concern when planning their IT infrastructure, and an additional 22% cite regulations and compliance in their top five. Yet, while security-first organizations appear to be implementing multiple solutions, it’s still alarming that nearly half of them don’t plan to implement them.
While it’s clear that a healthy, proactive stance on cybersecurity is crucial for any organization, the complexity of this process leaves many industry leaders feeling confused and overwhelmed. For many organizations, cybersecurity standards are simply too complex to master, but that doesn’t mean they aren’t necessary. Understanding how cybersecurity guidelines affect the legal status of businesses can help encourage tighter security.
Failure to comply with various regulations may result in legal consequences
Perhaps the most common cybersecurity law is the European Union’s General Data Protection Regulation (GDPR). Although this is a European law, it may still apply to some US organizations. If a US-based company partners with EU companies, stores data in the EU, or collects EU consumer data, it must comply with GDPR. While these regulations do not affect most US businesses, non-compliance can have significant ramifications for those that do.
For example, China’s new data security law applies to non-Chinese companies if they store data in China or collect it from Chinese. Failure to comply, on the other hand, can result in fines starting at $15,000 and up to $1.55 million. European data protection law is also punitive, charging nearly tens of millions of dollars in some situations.
However, national data security regulations are not the only concern for companies looking to expand their IT infrastructure. Many specific industries also follow their own cybersecurity regulations. Most notable is the Health Insurance Portability and Accountability Act (HIPAA), which affects companies that process health data. Given the sensitivity of this data, organizations covered by HIPAA must meet rigorous standards.
This means companies need to be all eyes and ears when it comes to the security of their third-party apps and services as well as their own systems. For example, teleconferencing platforms like Zoom have HIPAA-compliant systems, but not fully. Using third-party apps that don’t fall under specific regulations could put businesses at legal risk.
Failure to comply with industry-specific standards such as HIPAA can cost businesses up to $50,000 per violation, or nearly $1.5 million per year. Breaches of more serious standards can result in criminal charges and jail time.
Take a strong stance on cybersecurity compliance
Most seasoned cybersecurity experts say that data breaches and other cybersecurity incidents are not a matter of “if” but of “when”.
Cyberattacks have impacted businesses and individuals for many years, but efforts to compromise sensitive data have increased dramatically in recent times. And while companies that put security first seem to do just fine, those that don’t are feeling the pinch.
Corporate investigation experts help these companies meet their obligations by providing comprehensive compliance advisory services. The Corporate Investigations team offers in-depth insight into corporate compliance obligations and when and how governments target companies for compliance failures, from complying with security laws to regulatory compliance in industry-specific sectors.
For these companies to be compliant, they must first determine which laws or regulations they must comply with. For example, every state in the United States has data breach notification laws that require entities to notify their customers in the event of a data breach. Corporate investigation experts can help industry leaders identify state-specific laws and requirements so they can avoid potential compliance violations and their repercussions.
Cybersecurity compliance brings significant business benefits
Having strong cybersecurity compliance measures in place enables companies to protect their reputation, maintain customer trust and retain consumers by ensuring the security of their sensitive data.
For example, a strong response is essential to protect customer loyalty and company reputation during an uncertain and confusing time triggered by a data breach. According to Deloitte, 59% of customers said a single data breach would negatively impact their impression of the business, while 51% would forgive the company as long as they fix the problem quickly.
Compliance with the latest regulations helps companies identify, interpret and prepare for data breaches that can impact their business and ruin their reputation and customer trust.
On the other hand, companies subject to different state regulations must facilitate their customers’ right of access to the data they have collected. Compliant companies are required by these laws to provide all personal information stored about the user and information about how the data is used and where it is stored when requested by customers. This means that industries and businesses need to be able to locate data and access it quickly.
For example, companies under the GDPR are only allowed to collect data about customers who opt in to the data collection process and can also “forget” a user upon request, deleting all of their personal information and agreeing to stop distributing this information to third parties.
These requirements are driving IT organizations to redesign their data management processes to support not only privacy, but also increased operational efficiency. Companies can start by auditing their existing data systems to find out if customers are on board with their data collection program. Following an audit, they can delete the data files of customers who disagreed – and apply organizational systems that make the data indexed and searchable.
With new regulatory requirements and industry standards affecting all sectors, cybersecurity compliance remains a driver of business success – and compliant sectors are sure to stay on the floating line.