FFIEC Compliance Could Save You Money

Study Suggests Security Compliance Reduces Long-Term Expenses

By , February 1, 2011.
FFIEC Compliance Could Save You Money

H

See Also: Digital Identity Verification for Fraud Mitigation

ow expensive is compliance? A new survey finds that security compliance actually reduces long-term expenses.

The study, conducted by the Ponemon Institute and sponsored by solutions provider Tripwire, finds that companies that regularly review and maintain compliance with leading industry security standards save three times more annually than companies and agencies that fall out of compliance. The study found that most compliant companies and agencies spend, on average, $3.5 million annually on security; non-compliant companies spend an estimated $9.4 million. And the most-often focused on standard, across the board, is the Payment Card Industry Data Security Standard.

Ponemon interviewed 160 IT practitioners at companies and organizations that crossed numerous industries, including financial, retail, healthcare and government. Eighteen percent of the benchmark respondents were in the financial-services space, while the next largest group came from the government sector.

"PCI was the one that was top of mind across all industries, because they all take card payments," says Rekha Shenoy, vice president of strategy for Tripwire. "But there were many types of compliance initiatives we reviewed."

The study reviewed compliance with PCI-DSS, Sarbanes-Oxley, the European Union Data Protection Directive, the Health Insurance Portability and Accountability Act and several other U.S. and international laws. "All of these entities were getting audited by outside parties, but 28 percent of these companies had no internal audit of their own," Shenoy says. Those companies spent the most on compliance and non-compliance, the research found. "The companies that do have internal audits and do five or more audits per year, where they are doing automated checking, had a lower cost for compliance and significantly lower non-compliance costs," Shenoy says. "It does pay to be in a constant state of compliance." Based on the review of security investments made over a 12-month period at 46 global companies, Tripwire has published, "The True Cost of Compliance," which analyzes and compiles Ponemon's findings.

Compliance Focus: Security

Banks and credit unions often take the wrong approach to security standards and measures, and their perspectives are not isolated. Retailers and merchants, healthcare providers, municipalities and local government agencies are guilty of it, too. Rather than focusing on adequately securing accounts, consumer information and payment card details, they focus on passing compliance audits.

Focusing solely on audits, rather than security, leads to complying only with the most basic security standards, says Aviva Litan, distinguished analyst and vice president at Gartner Research. That bare-essentials approach, Litan says, has pushed the Federal Financial Institutions Examination Council to issue new FFIEC guidelines for financial institutions in the areas of online banking and authentication. "There is some good stuff in the last guidance, but bankers have not focused on those things; instead, they focused on authentication and did the minimum," she says of the FFIEC guidelines.

Adam Dolby, who heads up online security and authentication systems for Gemalto North America, says banking institutions need to shift their thinking. "It's not just about the technology that gets an examiner off your back, but a solution that protects the movement of money at all stages," he says.

Every company, regardless of industry, is spending money for compliance, but not all are getting secure, Shenoy says. "It was the ones that invested in security practices that were reaping the benefits - those that focused on securing the business, rather than focusing on compliance alone."

Banks, Credit Unions Ahead of Most Industries

Banking institutions, relative to other sectors, fare the best from a security compliance standpoint, Shenoy says. Not only are they investing in more automated tools to ensure compliance, they are more diligent about internal audits and regular compliance checks. "Financial institutions are getting better," she says. "Organized crime seems to now have an easier time getting information from restaurants and hospitals than from banks."

Healthcare ranked the least secure. "It is definitely on the low end when it comes to compliance," Shenoy says. "They also spend the most for non-compliance."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Breach Prevention: 5 Lessons Learned

As organizations set their 2015 priorities for security defenses and breach prevention, they should...

Latest Tweets and Mentions

ARTICLE Breach Prevention: 5 Lessons Learned

As organizations set their 2015 priorities for security defenses and breach prevention, they should...

The ISMG Network