The Crucial Relationship Between IT Security and IT Compliance  

IBM’s most recent “Cost of a Data Breach Report” found that 83% of global organisations have had more than one data breach, 60% of breaches led to price increases being passed on to customers and that 45% of breaches were cloud-based. Perhaps most tellingly, the average total cost of a global data breach climbed to $4.35 million in 2022, a 12.7% increase on IBM’s 2020 report.

The United States is the worst impacted country and the average cost of a data breach there is more than twice the global figure at $9.44 million. The report names Canada and the United Kingdom as the second and third worst-impacted countries with $5.6 million and $5.0 million, respectively. They are followed by Europe’s largest economy where a data breach in Germany has an average cost of $4.85 million. The fastest growth rate was recorded in Brazil where the year-over-year increase was nearly 28%.

Healthcare is by far the sector where cyber-attacks cause the most carnage and a breach now has an average cost of $10 million, significantly higher than the second-placed financial sector which averages just under $6 million. In 2022, the mean time to identify and contain a data breach around the world was 277 days, a 10-day decrease on 2021.

As can be seen from IBM’s report, cyberattacks can have devastating consequences and organisations need to have effective security measures in place to safeguard digital assets. The situation is becoming even more urgent for businesses as governments scramble to introduce tighter regulatory requirements to clamp down on poor security practices, creating an ever more complex legal landscape.

IT security involves the implementation of technical controls and practices to protect an organisation’s network, data, assets, employees and customers from threats. Those threats can include malware which refers to malicious software viruses, phishing attacks where an attacker impersonates a trusted contact and denial-of-service attacks where systems, servers or networks are overwhelmed, to name just a few.

Those threats are constantly evolving and so too must IT security. The stakes are high and successful attackers can interrupt the company’s services, unleash ransomware with crippling financial consequences or steal data to destroy a corporate reputation. While the technical aspects of IT security are usually prioritised by companies, it is equally important to develop a cybersecurity culture whereby employees are conscious of the consequences of poor practice. This should involve extensive training resulting in a vigilant workforce ready to identify potential threats and follow strong security practices.

IT security and IT compliance are both aspects of risk management that contribute to the protection of digital assets but they operate very differently. While IT security is focused on technical measures and practices, IT compliance ensures that those measures and practices meet certain third party regulatory or contractual requirements. These can range from government policies and industry standards to security frameworks or the contractual obligations of the product or service being provided. Organisations have to implement the practices defined by the third party to demonstrate they have a minimum level of IT security in place.

While IT security measures such as firewalls and strong password management are designed to protect a company’s assets, the overall security and compliance needs of the organisation need to align. A set of frameworks and certifications can help companies boost compliance in the realm of cybersecurity and these can differ significantly depending on the end goal.

If a company sticks to strong IT security standards and gains certification, it sends a message to customers that the organisation is trustworthy and that the products or services it offers are of a high quality.

It is also important to mention that while good IT compliance is essential for businesses today, it has to function as part of an effective IT security framework and it should form a key part of a comprehensive IT security strategy.

Depending on the market a company is operating in, it may be subject to obligatory IT compliance standards. A key example here is the EU’s GDPR which has hundreds of pages’ worth of requirements and is considered one of the toughest privacy laws anywhere in the world with violations adding up to hundreds of millions of euro.

On the other side of the Atlantic, the California Consumer Privacy Act of 2018 compels businesses to provide customers with notices explaining their privacy practices. Another mandatory compliance and certification standard is in place for cloud providers intending to sell their services to the US government. They must comply with the Federal Risk and Authorization Management Program (FedRAMP) where they undergo an independent security assessment conducted by a third-party organisation. Once compliance is assured, they can obtain an Authority to Operate.

Elsewhere, there are numerous standards that are not legally binding aimed at showcasing the strength and quality of a company’s IT security and compliance framework. These are some of the best known:

SOC: SOC compliance is a type of certification where a service organisation has completed a third-party audit showing that it has certain controls in place. There are three different types depending on the overall goal. SOC 1 is exclusively focused on controls affecting customers’ financial reporting. SOC 2 is less specific and assesses service provider controls for TrustServices criteria such as security, availability, confidentiality and privacy. SOC 3 is similar but at a higher compliance level. Whereas SOC 2 is geared towards the audience of client companies and their shareholders, SOC 3 is aimed at the general public.

ISO/IEC 27001: The Geneva-based International Organization for Standardization (ISO) has published over 24,500 international standards related to technology and manufacturing since 1947. ISO standards are some of the best known and they constitute industry-best practice. ISO/IEC 27001 is highly relevant for companies given that it outlines requirements for the establishment, implementation, maintenance and continual improvement of an information security management system with the aim of making corporate assets more secure.

NIST CSF: In the US, the National Industry for Standards in Technology (NIST), a non-regulatory agency house in the US Department of Commerce, has published numerous IT security standards such as the well-known Cybersecurity Framework (CSF). Alongside ISO 27001, NIST CSF provides a solid standard for the design and implementation of a strong IT security system across many industries. It has also been translated into many languages and is used outside the US by governments and different organisations.

PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations handling credit cards from the five major providers – American Express, Discover, JCB, Mastercard and Visa. It was created in the early 2000s to increase controls around cardholder data to reduce credit card fraud. The standard specifies 12 requirements for compliance that are organised into six groups called control objectives. Validation of compliance involves evaluation and confirmation that controls and procedures have been properly implemented as per the standard’s policies.

ISO/IEC 27001 and PCI DSS are standards for which it is possible to assess and provide attestation of conformity which means that companies can get certified. NIST CSF is different in this regard, however, as it is only a guidance.

It is also essential to mention the burden on organisations in the healthcare sector given it suffered the greatest impact from data breaches in IBM’s report. Patient data is frequently targeted by bad actors while the indispensable nature of healthcare services have made them the target for ransomware attacks.

A recent example of the latter occurred in 2021 when a cyberattack on the Irish healthcare system shut down IT systems, cancelling medical procedures and costing taxpayers more than €100 million. International standards are now seeking to shore up IT security in healthcare. In the US, the Health Insurance Portability and Accountability Act (HIPAA) determines how companies within the healthcare sector share and handle patient information. Failure to comply with the standard’s cybersecurity controls can lead to significant fines that average $1.5 million.

Make no mistake, IT security standards and certifications are complex. A compulsory law such as the GDPR is certainly a daunting prospect for companies to negotiate while the exorbitant penalties are likely to keep some compliance officers awake at night. The good news is that a best-practice solution is available to ease the burden: digital compliance.

Digital software has revolutionised compliance workflows in recent years and RegTech solutions such as digital policy managers, interactive rulebooks and web-based whistleblowing systems have transformed compliance department workflows. State-of-the-art integrated compliance platforms combine many of the above features into one comprehensive and seamless package.

When it comes to IT security and IT compliance, the latest software packages fully comply with the requirements of laws such as the GDPR while amalgamating crucial data. The proper documentation of processes is a hugely important aspect of IT compliance, and a digital audit trail can greatly facilitate an investigation.

IT security and data privacy assessments are time consuming for any company and those utilising cutting-edge compliance software have the advantage of only needing to carry them out once.

When implemented correctly, IT security and IT compliance naturally complement each other and afford an organisation numerous benefits. Lapses in IT compliance can be costly on the other hand, leading to financial penalties, fines or an organisation being banned from selling its products and services in a certain market. If any of these occur, a business will also swiftly see its reputation erode and a knock-on effect on its customer base.

Another recent example of how things can go wrong, also in healthcare, occurred in an Italian hospital where a set of inspections on the processing of data acquired through whistleblowing systems revealed infringements that were traced back to the IT service provider. The company providing the whistleblowing system software failed to regulate its relations with the hosting provider when acting as the processer and the separate controller, resulting in both it and the hospital being levied with a €40,000 fine.

Data breaches also carry a high reputational risk, especially when personal customer information is stolen after it was entrusted to a business. Such incidents attract plenty of attention from the media and if they occur, an organisation must spend considerable time and resources trying win back the trust of customers who may feel betrayed. In some cases, this is no longer possible.

An organisation consistently failing in its IT security and compliance obligations will also be viewed as a less attractive proposition by both investors and prospective business partners. If companies implement tough certification standards and achieve full IT compliance, the level of risk they face will be drastically reduced and they will gain far more opportunities.