The study, conducted by the Ponemon Institute and sponsored by solutions provider Tripwire, finds that companies that regularly review and maintain compliance with leading industry security standards save three times more annually than companies and agencies that fall out of compliance. The study found that most compliant companies and agencies spend, on average, $3.5 million annually on security; non-compliant companies spend an estimated $9.4 million. And the most-often focused on standard, across the board, is the Payment Card Industry Data Security Standard.
Ponemon interviewed 160 IT practitioners at companies and organizations that crossed numerous industries, including financial, retail, healthcare and government. Eighteen percent of the benchmark respondents were in the financial-services space, while the next largest group came from the government sector.
"PCI was the one that was top of mind across all industries, because they all take card payments," says Rekha Shenoy, vice president of strategy for Tripwire. "But there were many types of compliance initiatives we reviewed."
The study reviewed compliance with PCI-DSS, Sarbanes-Oxley, the European Union Data Protection Directive, the Health Insurance Portability and Accountability Act and several other U.S. and international laws. "All of these entities were getting audited by outside parties, but 28 percent of these companies had no internal audit of their own," Shenoy says. Those companies spent the most on compliance and non-compliance, the research found. "The companies that do have internal audits and do five or more audits per year, where they are doing automated checking, had a lower cost for compliance and significantly lower non-compliance costs," Shenoy says. "It does pay to be in a constant state of compliance." Based on the review of security investments made over a 12-month period at 46 global companies, Tripwire has published, "The True Cost of Compliance," which analyzes and compiles Ponemon's findings.
Compliance Focus: SecurityBanks and credit unions often take the wrong approach to security standards and measures, and their perspectives are not isolated. Retailers and merchants, healthcare providers, municipalities and local government agencies are guilty of it, too. Rather than focusing on adequately securing accounts, consumer information and payment card details, they focus on passing compliance audits.
Focusing solely on audits, rather than security, leads to complying only with the most basic security standards, says Aviva Litan, distinguished analyst and vice president at Gartner Research. That bare-essentials approach, Litan says, has pushed the Federal Financial Institutions Examination Council to issue new FFIEC guidelines for financial institutions in the areas of online banking and authentication. "There is some good stuff in the last guidance, but bankers have not focused on those things; instead, they focused on authentication and did the minimum," she says of the FFIEC guidelines.
Adam Dolby, who heads up online security and authentication systems for Gemalto North America, says banking institutions need to shift their thinking. "It's not just about the technology that gets an examiner off your back, but a solution that protects the movement of money at all stages," he says.
Every company, regardless of industry, is spending money for compliance, but not all are getting secure, Shenoy says. "It was the ones that invested in security practices that were reaping the benefits - those that focused on securing the business, rather than focusing on compliance alone."
Banks, Credit Unions Ahead of Most IndustriesBanking institutions, relative to other sectors, fare the best from a security compliance standpoint, Shenoy says. Not only are they investing in more automated tools to ensure compliance, they are more diligent about internal audits and regular compliance checks. "Financial institutions are getting better," she says. "Organized crime seems to now have an easier time getting information from restaurants and hospitals than from banks."
Healthcare ranked the least secure. "It is definitely on the low end when it comes to compliance," Shenoy says. "They also spend the most for non-compliance."
On the government side, the results were mixed, with local governments proving to be the most vulnerable. "It is a mixed bag," Shenoy says. "You have those that get it and those that don't, just like you see on the commercial side. They are bigger and better targets for cybercrimes, and therefore are targeted more often."
What helped banking institutions in their overall and consistence compliance was investment in automated compliance tools. "Automating all of the key pieces so that you are always secure and always compliant made a difference," Shenoy says. "It goes back to thinking about security investments that you make now, with the idea that they will pay off in the long term."
Editor's Note: For more on this new study, listen to this podcast interview with Rekha Shenoy, vice president of strategy for Tripwire.