IT Cybersecurity Compliance Survey
Key takeaways from the
2023 IT Cybersecurity Compliance Survey by Hornetsecurity
- 78.8% of organizations are more concerned about compliance issues now than five years ago.
- 57.2% of organizations believe the burden of compliance falls on the IT department.
- 59.1% of respondents say that meeting IT compliance requirements impact IT departments’ day-to-day activities.
- 21.6% of organizations say they use automation tools to verify IT compliance requirements.
- 33.3% of respondents say the lack of reporting and auditing tools is the main reason why the cloud isn’t a reliable data storage solution for their organization.
- 81.7% of respondents believe they would gain ‘moderate’ to ‘extreme’ benefits from a new compliance management tool in Microsoft 365.
- 27.6% of SMEs employ a dedicated IT compliance officer.
- 35.3% of large organizations (1000+ employees) have received penalties for non-compliance, with the majority originating from Europe.
The Current IT Cybersecurity Compliance Landscape
The landscape of IT compliance is continually evolving as organizations strive to meet the stringent demands of an increasingly complex regulatory environment. With the rapid advancements in technology and the growing importance of data protection, IT compliance has become a critical focus for businesses across various industries.
One reason, in particular, is the growing emphasis on cybersecurity. Modern cybersecurity measures dictate the best practices for total security in the digital world for businesses and individuals. From cybersecurity solutions and backups to raising security awareness, businesses are finding it more and more difficult to navigate the digital world. Furthermore, the more we transition into the digital world, the more security incidents become commonplace.
However, as cyber threats continue to escalate, regulatory bodies are placing greater importance on organizations’ ability to safeguard their IT systems, infrastructures, and data from unauthorized access, breaches, and malicious activities. Modern compliance requirements often include implementing robust cybersecurity measures, conducting regular cybersecurity vulnerability assessments, and establishing incident response plans.
Another prominent aspect of the current landscape of IT compliance is the proliferation of regulatory frameworks. Governments and regulatory bodies worldwide have implemented stringent laws and regulations to safeguard sensitive information, promote data privacy, and mitigate emerging cybersecurity risks. Organizations must navigate a maze of requirements, ranging from general regulations like the GDPR and CCPA to industry-specific standards such as PCI DSS and HIPAA.
Unfortunately, the current landscape of IT compliance doesn’t tolerate failure, as failure to meet these laws and regulations could result in costly penalties. The nature of these penalties could be financial, license-related, or something else entirely.
Speaking on the matter, David Coolegem, Senior Manager at Sia Partners, said: “The fines of GDPR are big, but the reputational risk is likely to be bigger.”
Because of this, and the necessity to protect sensitive information, organizations are forced to meet government IT compliance regulations. Even if organizations entirely rely on cloud-based solutions, they still must adhere to the rules and laws put in place to protect customer data.
Pros and Cons of Following IT Cybersecurity Compliance Requirements
Pros of IT Cybersecurity Compliance
- Data Protection and Security
IT compliance allows businesses to implement robust security measures and practices to safeguard sensitive data and protect themselves and their customers from data breaches and cyber threats.
- Legal and Regulatory Compliance
Complying with IT compliance requirements ensures businesses meet the necessary legal and regulatory obligations, essentially helping them avoid costly penalties and legal fines.
- Customer Trust and Reputation
Compliance with IT compliance requirements helps boost a business’s trust and confidence with customers and stakeholders. The shown commitment to protecting customer data, privacy, and rights, leads to an increased reputation on the market.
- Risk Mitigation
A large part of complying with IT compliance requirements involves assessing risk and developing risk mitigation strategies. As such, adherence to these requirements allows businesses to uncover and address potential risks.
- Operational Efficiency
In addition to providing best practices for data protection and security, IT compliance requirements provide a framework and guidelines for IT processes and operations best practices.
Cons of IT Cybersecurity Compliance
- Resource Intensive
One of the main cons of complying with IT compliance requirements is that it requires significant resources. From financial investments to hiring dedicated compliance officers and similar personnel, some businesses might initially struggle with the costs associated with compliance efforts.
- Complexity In Meeting Standards
IT compliance standards have gotten increasingly complex and stringent over the years. As such, staying current with the constant changes in compliance requirements can pose a challenge and a great burden on organizations.
- Impact on Innovation
To ensure compliance activities, businesses might have to divulge resources away from business operations and innovation departments. As such, there can be a potential impact on innovation.
- Hassle
The need to comply with compliance requirements can lead to compliance fatigue. In addition, compliance audits can be stressful and a hassle for many organizations, especially SMBs.
4 in 5 Organizations Are More Concerned About IT Cybersecurity Compliance Issues Now Than Five Years Ago
The main finding of our survey revealed a significant shift in organizations’ thinking and attitude regarding IT compliance compared to the past half-decade. Nearly 4 in 5 organizations are more concerned about IT compliance issues than five years ago.
Nowadays, stringent IT compliance laws and regulations leave very little room for errors. The survey’s finding underscores the evolving regulations landscape and the ever-increasing importance of data protection, data privacy, and data governance.
The survey’s findings imply that organizations are well aware of the potential security threats, such as phishing, lurking in the digital world. But more importantly, the potential risks associated with non-compliance. Several factors play a decisive role in today’s heightened compliance awareness.
First and foremost, IT compliance laws and regulations have gotten more rigorous and extensive. Governments and official industry bodies have emphasized the necessity to safeguard critical information and protect privacy rights. As well documented, a potential data breach poses a great risk to such information, hence why governments and official bodies have introduced regulations such as GDPR, CCPA, HIPAA, and many more.
Secondly, there’s been no shortage of high-profile data breaches and cybersecurity attacks on government and private organizations. Most damagingly, these attacks have captured the public’s attention and highlighted the consequences of falling victim to such an act. From financial to reputational damages, a data breach that results in customer privacy violations can be severely costly for organizations.
5 in 10 Respondents Think That Compliance With These Frameworks Is ‘Very Important ‘
Our survey found that the majority of respondents agree that compliance with these frameworks is important. While the vast majority believe it to be ‘very important‘ with 53.4%, only 28.8% believe it is ‘extremely important.’ But not every respondent shares such concerns. The survey found only 11.5% of respondents believing IT compliance is ‘moderately important,’ 4.8% finding it ‘slightly important,’ and only 1.4% answering ‘not important at all.’
The survey finding underscores an increase in recognition of the importance of such frameworks. Since these frameworks provide a comprehensive and structured approach to data protection best practices and measures, businesses and organizations can use the frameworks’ roadmaps to implement security features and controls, policies, and best practices to protect crucial information.
Paul Koziarz, President and General Manager of Regulatory Compliance at CSI, said: “Besides, without a compliance framework, some organizations might not implement any security practices at all (or at least until it is too late). Organizations must constantly challenge themselves to remain in full compliance and seek ways to go above and beyond to ensure the highest levels of security.”
The fact that more than half of the respondents believe compliance with such frameworks is at least important demonstrates a willingness and openness to widespread adoption and implementation of established compliance frameworks.
All in all, the finding underscores the growing recognition of the crucial role that compliance frameworks play in ensuring data security, privacy, and overall risk management within organizations.
6 in 10 Respondents Say Effort to Meet IT Compliance Impacts Day-to-Day IT Department Activities
According to our IT compliance survey, a significant majority of respondents perceive their efforts to meet IT compliance requirements to have a direct impact on the day-to-day activities of their IT departments. The finding highlights an increased influence compliance obligations exert on the operational aspects of modern organizations.
So what are the reasons for it? Today’s compliance initiatives force businesses and organizations to enact compliance policies and controls to adhere to government regulatory requirements. Furthermore, they create additional administrative overhead and drain IT department resources. What this does is take resources away from day-to-day IT activities.
As such, organizations admit the challenges IT departments face to strike a balance between compliance and effective operation. Our survey found that 57.2% of organizations believe the burden of IT compliance falls entirely on their IT departments.
Meeting IT compliance requirements also requires extensive documentation and record-keeping. Furthermore, there is a necessity to maintain accurate records and evidence of compliance with regulations. If these tasks are left to IT departments, it diverts attention away from crucial IT-related duties. Moreover, the increased administrative burden on IT departments hinders innovation, troubleshooting, development, and providing timely support to clients and customers.
But the troubles don’t stop there. Compliance efforts often require ongoing monitoring and assessment. Ensuring compliance is a continuous effort that requires adopting strategies to streamline the process.
2 In 10 Respondents Use Automation Processes to Verify IT Compliance
Our survey results indicate that only 2 in 10 (21.6%) respondents currently utilize automation processes to verify IT Cybersecurity compliance. Our survey also indicates that 4 in 10 (38.5%) of respondents use manual processes to verify IT compliance, while only 15.9% do not have any processes to verify IT compliance. This finding highlights a potential area for improvement in leveraging technology to streamline compliance activities and enhance efficiency.
When comparing manual and automation processes for compliance verification, there’s an obvious winner: the latter. Automation streamlines the entire IT compliance verification process from start to finish. Moreover, automation minimizes human errors, reduces manual efforts, and enhances accuracy and consistency.
Automation tools for IT compliance verification offer tracking and monitoring capabilities. These tools can perform checks and audits and identify potential non-compliant areas to improve. Unfortunately, the low adoption of these tools actively hinders businesses and organizations. The low adoption also suggests that most respondents rely on manual verification methods. Therefore, an obvious solution would be to use automation tools for greater efficiency.
If automation saves time, manual means only cost organizations in the short and long term. In addition, manual verification means can be resource-intensive and prone to inconsistencies and errors. Finally, manual processes often require dedicated personnel to perform audits, checks, and write compliance reports.
1 in 3 Respondents Says ‘Lack of Effective Reporting and Auditing Tools’ is the Main Reason the Cloud Cannot Be Used to Store Data
Our survey indicates an alarming 1 in 3 respondents identified the ‘lack of effective reporting and auditing tools’ as the primary reason preventing them from utilizing the cloud as a storage solution for their data. This finding sheds light on a significant concern that organizations face when considering cloud adoption and highlights the importance of robust reporting and auditing capabilities in cloud environments.
The finding raises concerns, especially when considering our previous survey, where we found that 93% of the IT industry will adopt cloud tech within five years.
This doesn’t come as a surprise, considering cloud storage is inherently beneficial as it offers remote accessibility and scalability and is cost-effective for organizations. However, it might not be the best option when entrusting your most sensitive data to cloud providers right now. To ensure regulatory compliance in a cloud environment, organizations must have adequate reporting and auditing tools, which our survey finds cloud service providers are missing.
Without proper auditing and reporting tools, organizations lack visibility into how their data is handled, processed, and accessed in the cloud. Furthermore, data protection is another area of concern when storing sensitive data on the cloud. When facing possible data breaches and security incidents, the lack of auditing tools makes identifying threats and tracing their origins impossible.
Simply put, there’s no way to investigate potential breaches and incidents, meaning organizations increasingly hesitate to entrust their most sensitive data to cloud service providers. To address such concerns, cloud service providers must integrate third-party auditing and reporting tools or develop their own. That way, organizations will gain insight into how their data is handled, accessed, used, and modified. In addition, cloud service providers must implement security features that protect organizations’ data.
4 In 5 Respondents Say Their Organization Would Gain ‘Moderate’ to ‘Extreme’ Benefits from Using Easier Compliance Management Tools in Microsoft 365
The survey results reveal a compelling finding: 4 in 5 respondents believe their organization would experience a ‘moderate’ to ‘extreme’ benefit from utilizing easier compliance management tools in Microsoft 365. This finding highlights the perceived value and potential impact such tools can have on enhancing compliance efforts within organizations.
Microsoft 365 is one of the most popular cloud-based services businesses and organizations use to enhance collaboration and productivity. It is used by millions of businesses worldwide to varying effects. Some use it for document sharing, while others use it on a much larger scale. But Microsoft 365 does support IT compliance management.
Popular compliance tools within the Microsoft 365 suite include the Compliance Manager, Auditing, DLP, eDiscovery, and Insider Risk Management, among others. Our survey found that 39.2% of respondents don’t use any available compliance tools in the Microsoft 365 suite. On the other hand, 35.4% use Compliance Manager, 33.1% use Auditing, 28.7% use various DLP features, 24.9% use the eDiscovery tool, 16.6% use Insider Risk Management, while 2.2% of respondents answered with ‘other.’
Diving deeper into Microsoft’s native compliance tools, 51.9% put ‘Lack of Internal Knowledge’ as the biggest problem for their organization when using these tools. A slightly smaller portion of respondents, 43.6%, put ‘Complexity’ as the biggest problem. The findings highlight a necessity for newer and easier compliance tools in Microsoft 365.
One advantage easier-to-use compliance tools in Microsoft 365 could have is the ability to streamline and automate compliance processes.
1 In 4 SMEs Employs a Dedicated Compliance Officer
Our survey also gathered information about respondents, such as their years of experience in IT, where they are based, and the business size. The survey revealed the majority of respondents (68.3%) were businesses with 1 to 50 employees. SMEs (small to medium-sized businesses) are defined as companies with 1 to 50 employees. Our survey found that 1 in 4 (27.6%) SMEs employ a dedicated IT security officer for IT compliance. On the other hand, 1 in 4 (24.5%) large businesses do not employ a dedicated compliance officer.
This finding revealed that compliance with IT regulations and standards is a critical aspect of business operations, regardless of the organization’s size. SMEs, in particular, may face unique challenges when managing compliance, as they often have limited resources, personnel, and expertise dedicated to this function.
Despite all that, employing a dedicated compliance officer can benefit SMEs in numerous ways. First and foremost, compliance officers are individuals with up-to-date knowledge and expertise in industry standards and best practices in IT compliance. Moreover, the role of compliance officers is to ensure organizations implement the relevant requirements applicable to their industry and measures to address them.
Compliance officers are also tasked with developing compliance policies and procedures unique to the organization’s needs. From internal controls to conducting risk assessments, compliance officers are becoming crucial roles in modern business. As a result, employing a dedicated compliance officer is a must for businesses of all sizes.
Large Businesses Are More Likely to Receive Penalties for Non-Compliance
Our survey also gathered information about respondents, such as their years of experience in IT, where they are based, and the business size. The survey revealed the majority of respondents (68.3%) were businesses with 1 to 50 employees. SMEs (small to medium-sized businesses) are defined as companies with 1 to 50 employees. Our survey found that 1 in 4 (27.6%) SMEs employ a dedicated IT security officer for IT compliance. On the other hand, 1 in 4 (24.5%) large businesses do not employ a dedicated compliance officer.
This finding revealed that compliance with IT regulations and standards is a critical aspect of business operations, regardless of the organization’s size. SMEs, in particular, may face unique challenges when managing compliance, as they often have limited resources, personnel, and expertise dedicated to this function.
Despite all that, employing a dedicated compliance officer can benefit SMEs in numerous ways. First and foremost, compliance officers are individuals with up-to-date knowledge and expertise in industry standards and best practices in IT compliance. Moreover, the role of compliance officers is to ensure organizations implement the relevant requirements applicable to their industry and measures to address them.
Compliance officers are also tasked with developing compliance policies and procedures unique to the organization’s needs. From internal controls to conducting risk assessments, compliance officers are becoming crucial roles in modern business. As a result, employing a dedicated compliance officer is a must for businesses of all sizes.
European Businesses Are More Likely to be Penalized for Non-Compliance Than Their North American Counterparts
Our survey also dived deeper into the nature of non-compliance penalties based on where respondents were geographically operating. Our findings showed that European businesses are more likely to be penalized for non-compliance, with 5.2% being already penalized compared to 2.9% of North American businesses. The survey results showed a remarkable finding. Namely, it highlights the difference in the regulatory landscape and the subsequent enforcement or compliance regulations between the two regions.
Although not by a significant amount, several factors contribute to the higher likelihood of non-compliance penalties for European businesses and organizations. The most significant factor is the implementation of stringent data protection regulations in the European Union. For example, the General Data Protection Regulation (GDPR) is a well-established data protection framework, and most businesses in the European Union must adhere to it.
Secondly, European regulatory bodies have taken a proactive approach to enforcing these compliance regulations, demonstrating a strong commitment to holding entities accountable in case of personal data breaches
North American Businesses Are More Confident Their Organizations Are Compliant Compared to Their European Counterparts
Based on our survey findings, North American businesses are more confident their organizations are compliant compared to their European counterparts, but only by a little. The survey’s results showed 92.7% of North American businesses are confident are compliant, compared to 87% of European respondents.
One key factor impacts the higher confidence among North American respondents. North America has a more unified regular landscape, especially the United States, due to being one country. On the other hand, Europe has country-specific laws and regulations regarding data protection. Oftentimes, certain regulations apply to specific countries or regions of Europe. In many cases, data protection laws and regulations in one country don’t apply in another. This unified approach hinders European entities when meeting regulatory requirements.
Secondly, it is perceived that European regulations are more stringent compared to North American regulations. This might lower the level of confidence among European entities. However, it’s worth mentioning that confidence levels do not reflect the actual compliance status among organizations from both continents. Furthermore, North American entities might not become compliant based solely on higher confidence levels.
To truly understand whether these entities are compliant, they must continuously evaluate their compliance measures and ensure practices can prevent risks that lead to data breaches and security incidents.
About the 2023 Hornetsecurity IT Compliance Survey Respondents
When it comes to years of experience in IT, 51.9% of respondents answered with ’21 years or more,’ 16.3% answered with ’16-19 years of experience,’ 13.95 with ’11-15 years of experience,’ 11.1% with ‘6-10 years of experience,’ and only 6.7% with ‘1-5 years of experience.’
Our survey also requested respondents to give accurate information about the size of their business (employee count). The majority, 68.3%, were businesses with 1-50 employees, while only 8.2% were businesses with 1000+ employees. The survey found 13.5% were businesses with 51-200 employees, 6.2% with 201-500 employees, and only 3.8% with 501-999 employees.
Lastly, our survey also asked participants where they were based. Europe was the dominant region with 55.3%, North America came second with 32.7%, followed by Australia and Asia with 3.4% and 2.9%, Africa with 2.4%, South America with 2.4%, and the Middle East with 1%.
FAQ
IT compliance refers to adhering to a series of rules, laws, and standards set by governments and official bodies of industry, most commonly in reference to information technology. IT compliance ensures that businesses and organizations can protect data and IT systems and meet legal requirements for data governance.
IT compliance is important for businesses because it helps them protect sensitive data, ensure legal and regulatory compliance, and mitigate security threats.
Businesses and organizations face numerous challenges in meeting IT compliance requirements. Most notable is the fact that compliance requirements rapidly shift and change based on rules and laws. Others include the complexity of compliance frameworks, resource constraints, lack of expertise, and difficulty in reporting and documenting compliance activities.
Non-compliance with regulatory frameworks can impact businesses massively. From financial penalties to reputational damage, loss of customer trust, and business disruptions, it’s in the businesses best interest to ensure they comply with these standards.
IT compliance has changed a lot in the past five years. Nowadays, businesses are more concerned about compliance issues compared to earlier. Moreover, compliance requirements have gotten more rigorous, complex, and official rules and laws regarding data protection are affecting more and more businesses worldwide.