Protection from Cyberattacks Does Not Come Cheap
While data breaches and hidden IT security vulnerabilities threaten all organizations, risk managers also face pressure from another direction -- this time in the form of compliance requirements. The Payment Card Industry Data Security Standards (PCI DSS), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and other regulations have a lot to say about how organizations must protect themselves from cyber-risks.
PCI DSS is particularly detailed. It requires all organizations that accept credit or debit card payments to install a firewall to protect cardholder data and forbids the use of vendor-supplied defaults for system passwords and other security parameters. It also obliges companies to encrypt any cardholder data it transmits across open, public networks and restricts access to authorized personnel.
Likewise, HIPAA and SOX also lay down specific IT requirements of their own. At a general level, HIPAA is geared towards the protection of patient records and patient privacy and calls for a vulnerability assessment and remediation process as a way of achieving the goal of network security compliance, among other technological elements.
SOX places a strong emphasis on change management. Tracking system and application changes is required for compliance and is a task that is often performed manually in smaller companies. The implementation of an automated change management system is necessary for a complete view of IT operations, while establishing a gate-keeping protocol that tracks and limits access to financial data. It is also important that this kind of change management system makes sure that basic changes like software updates do not have a negative impact on controls and that an audit trail is supplied.
Suffice it to say, these requirements, coupled with privacy protection legislation, particularly at the state level, place very real demands on risk managers. And although anti-malware, antivirus, diagnostic tools, vulnerability assessment, activity monitoring, intrusion detection and other resources can help risk managers achieve compliance, the price can be high.
According to a "true cost of compliance" study conducted by the information security firm Ponemon Institute, the average cost of compliance was $3.5 million per organization, ranging from $446,000 at the low end to $16 million at the high end. Clearly, organizations that want to bring themselves into compliance will have to spend some serious money.
But these numbers pale in comparison to the cost of noncompliance. In the same study, Ponemon reported that the extrapolated average cost of noncompliance for the same organizations was $9.4 million, ranging from $1.4 million at the low end to $28 million at the high end. These costs come from everywhere: business disruption, productivity losses, reputational damage, customer attrition, fines and legal settlements.
So although the cost of compliance appears to be daunting, particularly in an economic environment characterized by strained resources and pared-down budgets, the alternative can be much worse. While compliance may cost you money, but noncompliance can cost you your business.
The Cost of Compliance
|