Security Compliance Eases Cost Burden

Wednesday, February 2, 2011 @ 06:02 PM gHale

Complying with regulations and standards can save a manufacturer up to three times as much in costs than if they do not comply, according to a new report.

Regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the PCI Data Security Standard (PCI DSS), can cost companies up to $3.5 million, while noncompliance can cost close to $9.4 million, according to the True Cost of Noncompliance report. Tripwire Inc. and Ponemon Institute, who conducted the report, based their findings on a survey of 160 businesspeople at 46 multinational companies in a range of industries.

The report broke noncompliance costs into four areas: Fines and penalties, revenue loss, data breach costs, and lost productivity costs.

Data protection and enforcement activities ranked among the most expensive compliance activities, and business disruption and loss of productivity ended up being the most significant expenses for companies that did not achieve or maintain compliance.

Total cost of compliance varies by industry, ranging from $6.8 million for education and research to more than $24 million for the energy sector. The cost of compliance versus noncompliance also varies by industry, with energy showing the smallest difference at ($2 million) and technology showing the largest ($9.4 million).

While security effectiveness is unrelated to compliance cost, a higher percentage of compliance spending relative to the overall IT budget indicates investment in compliance reduces the negative consequences and costs associated with noncompliance, the study found.

The report also found 28% of those surveyed did not conduct internal compliance audits, and 11% conducted more than five internal audits each year. Organizations that conduct three to five internal compliance audits each year have the lowest per capita compliance cost ($154), while those that did not conduct internal audits had the highest compliance cost ($341).

The report said organizations should use a combination of compliance activities related to process, people and technology to limit risks. By investing resources in compliance activities, businesses can avoid falling victim to consequences such as cyber fraud, business disruption, and data and revenue loss, according to the report.

Leave a Reply

You must be logged in to post a comment.