Make Compliance Your Company’s Advantage During This Economic Contraction

In the coming months, organizations of all types should expect to adapt to a market  in which restrictions to doing business are heightened. 

From data breaches to supply chain disruptions, COVID-19, and financial market disruptions, companies need to be ready to navigate any scenario in 2020 and beyond.  Trust is an anchoring force in this instability.

Now more than ever before, every third-party entity has the potential to introduce new risks to ecosystems of vendors, strategic partners, and technologies. In the first half of 2019, for instance, third party breaches accounted for over half of all data breaches in the United States. Early in 2020, the global economy began a tumultuous shift into an unpredictable future. Economists say the U.S. is entering a sharp recession, with some projecting gross domestic product is headed for its worst drop in quarterly records back to 1947.

As a director or manager who oversees the IT security and compliance function at your company, you’re setting the direction that your company will rely upon for years to come. The infrastructure, processes, and policies that you develop will help your company take advantage of opportunities while managing the unknown. 

That’s why, in Hyperproof’s 2020 IT Compliance Benchmark Report, conducted in 2019, 62% of respondents say their organization is planning to increase spending on compliance in the next 12 to 24 months, with 21% of all respondents anticipating increasing their budgets 50 to 100 percent YOY. Compliance and growth functions are inextricably linked. 

In just a few short months since Hyperproof ran this survey, compliance landscapes have already begun to shift. What that means is that companies need an even stronger footing for navigating the unknown.

Now is the time to reinforce trust

Maintaining strong data protection measures as well as an ethical and transparent culture has become a differentiator for retaining customers as well as employees. Stories of user privacy and unethical conduct from corporations have made their way to the forefront of organizational agendas. Trust needs to be demonstrable and provable through well-documented processes and strategies. Even smaller businesses should expect to undergo routine audits, as a result. 

For this reason, Hyperproof’s 2020 IT Compliance Benchmark Report found that 66% of all organizations plan to hire additional full-time staff to support the compliance function. Meanwhile, 38% of all organizations cited business expansion as a top factor for driving their compliance spend increase.

With the emergence of COVID-19, many organizations have had to slow down their compliance work, unexpectedly. This trend is occurring at a time when compliance needs are greater than ever due to fully remote workforces, new attack vectors and more frequent exchanges of personal high impact information due to urgent healthcare needs. 

With the social distancing guidelines put in place by the United States government and the face-to-face nature of compliance work, the industry is now facing unprecedented choices about how to responsibly run their businesses without the assurances that they require. As organizations take measures to prevent the spread of COVID-19, new compliance challenges emerge, so it’s important to remain diligent.

These trends reflect a need for organizations to maintain a balance of offense and defense — taking an active role to respond to threats while also preventing them before they have a chance to happen. But research from McKinsey has found that companies are struggling with respect to the prioritization of their efforts.

“We found that first and second lind compliance staff were spending 80% of (remediation time) on issues of low or moderate materiality, and only 20% on critical high-risk issues,” explains a recent report from McKinsey.

Not to mention, the report elaborates, “Arising issues are approached one at a time and in isolation; remediation efforts are inadequately measured and tracked.”

So what’s the best way to align your company’s risk management function with sustainable growth initiatives, given the close link between the two?

Get relentlessly clear on your overall risk portfolio

You already know that you need to prioritize your risks. But now, you need to be relentless in your due diligence. The tone of global business has changed, and any misstep has the potential to wreak havoc in your business. It’s time to free-up valuable brain power and allow your teams to focus on long-term risk mitigation efforts rather than chasing ever-moving, remediation needs.

We explored this question in Hyperproof’s IT Compliance Benchmark Report.

When asked “which of the following factors cause your job to be more stressful?”, respondents ranked external risk factors higher than internal ones, with cybersecurity, data privacy, and keeping up with regulatory changes as the top 3.


Expect these pressures to increase to unpredictable extents in 2020 and beyond, considering the following facts: 

  • At this time, every organization is deeply connected to and dependent on one another through the use of third-party SaaS applications and cloud infrastructure providers.
  • 80 plus countries and 40 plus states within the U.S. have regulations around data privacy.
  • With the appearance of COVID-19, remote work has become the new normal. With remote work comes new attack vectors; When employees work from home outside of secure corporate networks, they become more susceptible to hacking attempts.  

 With this perspective in mind, companies can better prioritize their risk and compliance management budgets and operating plans.

Research indicates that failure to comply has become more costly than ever for organizations, far exceeding the costs of compliance. Based on a 2019 report by research firm the Ponemon Institute and security company GlobalScape, the annual cost of non-compliance with data protection regulations to businesses now runs an average of $14.8 million, a 45% increase since 2011. The range can be anywhere from $2.2 million to $39.2 million. These results were based on a representative sample of 53 multinational corporations.

It’s not an option to let control processes  slip through the cracks. The answer is to hold your organization up to a high standard, by giving risk and compliance leaders better visibility into the performance of control processes. 

Hold your organization to even higher standards

Compliance is a living function within your organization — that is, your controls have to change as processes and technology change.  A control that was meaningful five months ago may now be obsolete, because a business function adopted a new application. That’s why your organization needs to engage in ongoing monitoring — to ensure that you’re double-checking the controls that can lead to costly hiccups. 

So how do you ensure that your control processes are being performed correctly and on time? 

A compliance monitoring program includes ongoing surveillance, review, and analysis of key business performance and risk indicators. The goal of this type of program is to uncover early indicators that a control failure may arise.  

Our survey found that just 5% of all respondents say that they do not have a process in place for compliance monitoring . Meanwhile, 27% rely on external audits online and 27% rely on both internal and external audits. Just 41% of respondents say that they use a combination of monitoring methods in addition to external and internal audits. Larger companies are more likely to report that they have a variety of monitoring methods in place — and that trend makes sense because larger companies have heightened needs and risk exposure.

What’s important is that no matter where you are in your risk management strategy, you adopt a monitoring process to start. Establishing a foundation now means that your organization can evolve over time.

Keep leveling up the standard. Never become complacent. This process involves developing a controls process with an ongoing, transparent means of knowing whether tasks are being performed. Controls fall into the following categories:

  • Physical controls: doors, locks, security cameras 
  • Procedure controls: incident response processes, management oversight, security awareness and training, background checks for personnel who handle critical systems  
  • Technical controls: user authentication (login) and logical access controls, antivirus software, firealls
  • Legal and regulatory controls: policies, standards, etc.

This resource, to help you build controls from the ground up, can get ahead of potential problems before they have a chance to amplify.  

Final Thoughts

Compliance is your strategic advantage, differentiator, and safety mechanism — all in one. As the world navigates an era of unprecedented uncertainty, organizations need to be ready to jump and adapt. As an organization, you need to ensure that you’re always moving and staying ahead of the next upcoming challenge.  

The risks your organization faces will always evolve.  The key to getting ahead of problems is to take action and build processes before challenges bubble to the surface.

How Hyperproof can make your compliance efforts more effective

Hyperproof is the first-ever continuous compliance service designed to give compliance professionals the ability to easily collect evidence (to verify the efficacy of internal controls) and collaborate with stakeholders to keep compliance controls up-to-date 365 days a year. Hyperproof not only reduces administrative work from compliance processes, it also helps organizations mitigate their risks on an ongoing basis — which is especially important in a time when the chances of experiencing a data breach and compliance violations are greater than ever.

If you’d like to learn more about Hyperproof can help your organization stay on top of your risks and control evaluation efforts, we’d love to talk. You can sign up here for a consultation and personalized demo

The post Make Compliance Your Company’s Advantage During This Economic Contraction appeared first on Hyperproof.

*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: