40% of IT security budgets spent on 'compliance burden' as 43% of orgs reported to ICO over GDPR

News by Andrew McCorkell

43% or organisations have been reported to the ICO, and this increased IT compliance burden is soaking up IT security budgets with the focus on 3rd party data rather than the company's own assets.

The majority (58 percent) of businesses feel that compliance requirements are a barrier to entering new markets, new research in the 2020 Cyber Report has found. 

The figures show that businesses are struggling to cope with a rising number of compliance requirements and this is stalling growth.

In the findings of a new study, half (51 percent) of those asked said they spend at least 40 percent of their IT security budgets on data protection and security compliance. 

The same proportion says that the work costs them as much as 20,000 hours of resource each year.

Speaking to SC Magazine, Andy Barratt, UK managing director of cybersecurity consultancy Coalfire, said: “Being compliant is not the same as being secure and an over-focus on meeting regulations drives certain behaviours that don’t always help address the specific cyber-threats a business faces.

“Regulations typically focus on the resources a firm uses that are owned by external stakeholders – card data, personally identifiable information, for example.

"Protecting one’s own assets is another, just as important, focus that firms have limited time and money to invest in thanks to the increasingly demanding compliance regimes they have to maintain."

A siloed approach to compliance that doesn’t maximise efficiency or produce solutions that serve the business’s wider objectives is ultimately diverting investment away from security, he said.

"IT teams need to start thinking differently about compliance and align these efforts more closely with their company’s wider strategic objectives if they are to enable growth and effectively manage cyber risk.” 

Around three-quarters (70 percent) of firms say they have to manage a minimum of five different compliance projects at any one time, while some (seven percent) must work on 50 or more.

The burden of compliance has already become unsustainable for a lot of businesses, Barratt said.

He also pointed to sensitivity towards data privacy issues that shot up as GDPR was introduced. 

It means that cybersecurity standards have changed dramatically from point-in-time reviews to continuous, outcome-based processes.

“The post-Covid-19 economy is going to force businesses to be leaner and more efficient operationally and firms can’t afford to spend time and money on activity that isn’t furthering their commercial ambitions,” Barratt said. 

“IT teams need to start thinking differently about compliance and align these efforts more closely with their company’s wider strategic objectives if they are to enable, rather than inhibit, growth in the future.”

The survey included more than 100 prominent IT and security executives representing industries including technology, financial services, manufacturing, healthcare and government.

Coalfire’s report, Compliance in the Era of Digital Transformation, describes how public and private sector organisations are developing to address the ever-growing burden of IT compliance. 

Key findings:

  • More than 51 percent are spending 40 percent or more of their IT security budgets on compliance.
  • Nearly 60 percent of companies view compliance as a barrier to enter new markets.
  • A change in cyber standards from point-in-time assessments to continuous, outcome-based compliance requirements.
  • Some 66 percent indicate that technology with automation, ongoing visibility, and coordinated assessments are now critical to compliance transformation and reducing audit fatigue and total cost of compliance.

Coalfire collaborated with global technology analyst consultancy Omdia to research the impact of cyber compliance in the first quarter of 2020.

It looked at how public and private sector organisations are managing risk through the prism of growing compliance demand.

Alan Rodger, senior analyst at Coalfire’s research partner Omdia, said: “Despite the exponential growth in compliance obligations, our research shows that positive business and security outcomes are possible.

“By adopting new best practices, some organisations are reporting 40 to 50 percent compliance resource savings, and many are using their improved security posture as a competitive differentiator.”

The survey included 107 prominent officers, directors, and managers from around the world in the fields of IT, compliance, and risk management.

Meanwhile, separate research found that 43 percent of IT decision-makers admitted that their organisation had been reported to the ICO since GDPR came into force.

The survey also highlighted an increase in the implementation of encryption and endpoint control since GDPR was enforced. 

The research, from Apricorn - a manufacturer 256-bit AES XTS hardware-encrypted USB drives, looked at how organisations have changed their attitudes and approaches to cybersecurity since GDPR was introduced.

A quarter of IT decisions makers said they had notified the ICO of a breach or potential breach within their organisation.

Some 21 percent have had a breach or potential breach reported by someone else. 

More than 160,000 breach notifications have been made to data supervisory authorities in the European Economic Area (EEA) since GDPR came into play, according to a data breach survey carried out by law firm DLA Piper, up to the end of January 2020.

Jon Fielding, Apricorn managing director EMEA, said: “The fact that so many businesses are now choosing to notify of a potential breach is positive, but likely precautionary to avoid falling foul of the requirements and any significant financial or reputational ramifications.”

Almost all respondents (94 percent) said their organisation has a policy that requires encryption of all data held on removable media.

Of those that encrypt all data held on removable media, more than half (57 percent) hardware encrypt all information as standard on all removable media. 

“The wide variety of options for encryption deployment can be intimidating, and companies haven’t been using it effectively,” Fielding added.

“Organisations are now beginning to recognise the importance of endpoint hardware encryption and the need to implement and enforce policies to protect corporate data, ensure compliance with data protection regulations, and reduce the potential for a data breach.”

Some 42 percent said they permitted only corporate IT provisioned/approved devices for remote working - a huge rise compared with 12 percent in 2019, highlighting a positive shift in focus towards endpoint control.

Fielding added: "it’s clear that GDPR is finally having some impact, but businesses need to recognise that compliance is ongoing and they should continue to enforce and update all policies.

"Equally, more needs to be done in terms of employee awareness and education if they want to reduce the risk of a data breach, particularly given the increase in data moving beyond the corporate network.”

Other key stats

  • Nearly four in ten (39 percent) have noticed an increase, and their organisation now requires all data to be encrypted.
  • No further plans to expand encryption on USB sticks (38 percent), laptops (32 percent), desktops (37 percent), mobiles (31 percent) and portable hard drives (40 percent).  
  • Over data breaches, more than a third (35 percent) of respondents cited that damage to the brand and reputation of the business is their main concern. financial costs for incident response and clean-up (28 percent), loss of customer trust (18 percent) and financial costs resulting from a fine (12 percent).
  • Employees unintentionally putting data at risk remains the leading cause (33 percent) of a data breach, with lost or misplaced devices now the second biggest cause (24 percent), and third parties mishandling corporate information not far behind (23 percent).

The Apricorn research was conducted between in March by Censuswide.

It included 100 UK IT decision-makers (CIOs, heads of IT, IT directors, senior IT managers etc.) from enterprise organisations (1000+ employees) within the financial services, IT, manufacturing, business and professional services sectors.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews