Data is King. Understanding where it travels, where it resides and how to best protect it is no longer just an option–it's a necessity for all businesses. Organizations are burdened with the responsibility of protecting customer, partner and vendor data, and storing it as securely as possible. Government mandates and regulations such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes Oxley are constructed to help us do just that: keep private data, private.
The enforcement of these privacy regulations underscores the new era of complex policies developed to protect data at the individual level from increasingly sophisticated cyberattacks. We're just getting started, as more data protection regulations and frameworks are expected to be developed and implemented globally in the near future.
Pay now, or, pay much, much more later
Globalscape recently partnered with the Ponemon Institute to quantify the cost of compliance and non-compliance to businesses. The report, called True Cost of Compliance with Data Protection Regulations, found that if companies invested in compliance activities upfront—such as audits, enabling technologies, training and expert staffing—that they could avoid the astronomical financial impact of non-compliance.
Consider these staggering numbers: Non-compliance costs businesses on average $14 Million; a 45 percent increase since 2011. For those businesses that do comply, costs averaged around $5.47 million annually—less than half the cost of non-compliance.
Factors of compliance readiness
Compliance readiness varies by organizational size and industry. When adjusting compliance and non-compliance costs by each organization's headcount, smaller companies (<5000 employees) incur substantially higher per-capita compliance costs than larger companies (> 5,000 employees).
Understandably, organizations in heavily regulated industries have the highest compliance costs. For example, we saw a spread of $7.7 million for media to more than $30.9 million for financial services. Between 2011 and 2017, healthcare organizations, and technology companies experienced the highest growth in cost at 106 percent and 99 percent, respectively. Energy and utilities, and retail companies experienced the lowest growth in total compliance cost at 6 percent and 40 percent, respectively, according to our report.
Reducing compliance costs
Whether you choose to invest in technologies such as managed file transfer (MFT), data loss prevention, data classification or governance, risk and compliance solutions, or better enforcement of current data protection policies, the risks and rewards from a cost perspective are clear. Keep the following in mind on your journey to compliance:
Evaluate data governance programs and auditing process
The deployment of a centralized data governance program can reduce total compliance costs by $3.01 million, according to our report. Similarly, we found that conducting compliance audits reduces total compliance costs by $2.86 million. Governance can help organizations maintain the appropriate oversight required to understand, track and audit where sensitive data is shared, and ultimately, stored. This is increasingly important as there are specific response times or data protection measures required in regulations like GDPR or PCI DSS. Regular audits can provide details on where an organization fails to meet compliance measures before an incident or regulatory body enacts fines or other penalties.
Among individual regulations, 90 percent of survey respondents said they believed GDPR will be the most difficult to achieve within their organization. PCI-DSS was the second most difficult, followed by U.S. state laws and HIPAA.
Does your managed file transfer solution meet compliance mandates?
Data privacy matters. It's the core reason why compliance regulations are in place. Do you understand how data moves throughout your organization? Are you certain that your MFT solution meets compliance mandates?
In addition to complying with regulatory guidelines, organizations should provide employees with the right training and tools to ensure they're consistently working in ways that improve their security posture. To counter the problem of end user error, or poor data sharing practices, companies should consider offering their workers intuitive, convenient tools that automatically provide higher levels of protection, such as encryption. This strategy aims to make sure team members don't disregard best practices and resort to less dependable consumer-grade programs.
Ensuring data privacy is worth the long-term investment
Organizations can implement preventative measures to better control, integrate and govern data so that compliance is easily achievable and staggering costs are avoided. Through the use of technology, regular audits and the strengthening of governance and visibility structures, these compliance mandates are not only achievable but worth the long-term investment.
Peter Merkulov serves as Chief Technology Officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering and quality assurance teams. Merkulov has more than 16 years of experience in the IT security industry, specifically in product strategy and management. Merkulov has a Masters from Moscow State Institute of International Relations (University) MFA Russia MGIMO.