Cybersecurity and compliance go together like sushi and rice. You can’t have one without the other and expect things to end well for your business and customers. Let’s explore the top compliance statistics that help you show the decision makers within your organization why cybersecurity compliance training and investments must be a priority
“Cybersecurity compliance” means a lot of things to businesses depending on their locations, industries, and other factors. For example, if you’re a business in the European Union that handles credit card payments, then you not only have to worry about being compliant with credit and banking card regulations (PCI DSS), you also have to be compliant with a far-reaching regulation known as the General Data Protection Regulation (GDPR).
If even just one employee screws up, it can essentially undo all of your efforts and land your company name on a list of noncompliance offenders. This is why we’ve put together a list of key cybersecurity compliance statistics. Our hope is that this resource will help you communicate to your organization’s leadership why having a cybersecurity compliance program is a must for your organization.
Let’s hash it out.
10 Disturbing Cybersecurity Compliance Statistics That Help Drive This Point Home
When you don’t have a cybersecurity compliance program or (at the very least) policies in place, you risk things going sideways quickly for you and your customers. Compliance with cybersecurity and data privacy regulations helps keep your organization, data, and customers secure against data breaches and other cybersecurity issues. However, it also has other direct and indirect benefits as well:
- Shows customers and other stakeholders that the security of their data is a priority for your business.
- Helps you avoid costly noncompliance fines and penalties that can result from noncompliance with regional and industry regulations.
- Protects your organization’s brand and reputation against harm that results from data breaches.
Compliance relates to protecting and securing your data that’s both on prem and in the cloud. And considering that Flexera reports that 99% of organizations use either a public or private cloud, it’s critical that you understand how to remain compliant with the regulations that help you keep these resources secure.
With all of this in mind, let’s consider some relevant industry data (i.e., cybersecurity compliance statistics) that shows exactly what we mean by all of this.
1. 93% of Employees Are Overly Confident About Their Cyber Preparedness
First on our list of cybersecurity compliance statistics is research from IBM and Morning Consult. Their data shows that more than nine in 10 respondents who work from home (WFH) are more confident than they are prepared when it comes to securing sensitive data. Although they’re certain they can protect personally identifiable information (PII), they often lack the tools and training that help to make it possible.
While feeling confident is important, there needs to be a reason for that self-assuredness. If you feel confident when you have no idea what you’re doing, then you’re likely going to find yourself in hot water very quickly. It’s kind of like trying to bake a triple-layer cake when you’re new to baking: If you don’t have a recipe to follow and don’t know what ingredients or techniques to use, it’s a surefire recipe for disaster.
2. 50%+ of Employees Aren’t Aware of Their Organization’s New Cybersecurity Policies
Data from the same IBM and Morning Consult study also indicates that the cyber awareness of many employees is lacking. This is because many employees are ignorant about new company policies relating to secure password management, how to handle customer data, and other key data concerns.
When the COVID-19 panic came into effect, many businesses and organizations found themselves scrambling to implement a WFH environment. But with so many changes occurring simultaneously, businesses found themselves having to create and roll out new cyber security policies. In situations like this, it’s critical to train your employees about new policies and procedures when they initially roll out. You also need to incorporate these policies in regular training sessions to:
- Help employees stay informed about existing and new policies,
- Keep these policies fresh in your employees’ minds so they consider them when engaging in different activities online.
- Cover your butt by showing that you’re taking the necessary steps to keep employees informed. (A little “CYA” is always good for businesses.)
All it takes is one moment of unawareness to find your organization’s name in the news for all the wrong reasons.
3. 44% of Companies Require Vendors to Provide Proof of Cybersecurity as Part of Their RFPs
Over the past several years, companies have increasingly expected more from the vendors that they hire in terms of security (as they should!). This push toward greater cybersecurity accountability and requirements can be seen in the increase in firms that “are being asked for proof of cybersecurity as part of RFPs.” This is according to data from a poll conducted at the ACA Compliance Group’s Fall Conference in September 2020 and was published in their report Key Trends and Forces Shaping Risk and Compliance Management in 2021.
Let’s consider an example from the U.S. Department of Defense’s (DoD) Requirements for the Acquisition of Digital Capabilities Guidebook: “Cybersecurity must be addressed early in acquisition planning and apply across all phases of the acquisition and at each technical layer of the solution.” So, to land a government contract, you need to not only communicate what cybersecurity measures you have in place, but you also need to address their comprehensiveness. The resource also states that cloud cybersecurity requirements should be included in DoD contracts.
Ideally, as part of that proof, vendors should provide any relevant information relating to cybersecurity compliance.
4. 45% of Organizations Globally Will Experience Supply Chain Attacks by 2025
Next on our list of cybersecurity compliance statistics is a new prediction data from Garner. this data shows that by the time 2025 rolls around, two in five organizations will have fallen prey to software supply chains attacks. This is a three-fold increase from their 2021 data. Supply chain attacks are those that target organizations’ development and build systems to infiltrate their codes with malicious code or software. This way, they can infect and attack the organizations’ customers without anyone knowing what’s occurred.
We’ve already seen some really ugly instances of software supply chain attacks over the past few years — two major examples of which include the attack targeting SolarWinds and its customers and the attack on Kaseya and its managed service provider (MSP) clients.
In the case of SolarWinds, employees relied on weak passwords that wound up getting published online and cybercriminals used the access to install malware onto the federal government contractor’s development server. When SolarWinds rolled out software updates, the attackers’ software shipped with it, thereby allowing the attackers to infect its customers’ networks and infrastructure.
As you can imagine, being compliant with industry regulations could have helped prevent this incident from occurring. The National Institute of Standards and Technology (NIST) has recently released some Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations that you may find useful. While NIST recommendations are applicable to federal government agencies and related third-party vendors, they still provide practical guidance and useful information that commercial entities can use to secure their cyber infrastructure.
5. GDPR Noncompliance Fines Hit Nearly $100 Million in First Half of 2022
AtlasVPN reports that noncompliance penalties faced increased 92% when comparing data from 1H 2021 and 1H 2022. Their research was based on data from the CMS.Law GDPR Enforcement Tracker website, which includes data relating to GDPR fines and penalties imposed by authorities within the European Union.
Of course, some individual organizations have been slapped with major GDPR fines since the regulation went into effect in 2018. For example, Amazon faced a whopping €746 million fine in August (which the company has decided to appeal) and WhatsApp got hit with a €225m penalty in September 2021. To put that in “American” terms, those amounts were the equivalent of nearly $887 million and $276 million U.S. dollars, respectively, at the time those punishments were handed out. (Of course, this is prior to the Euro value dropping, the value of which is now nearly that of the U.S. dollar for the first time in 20 years.)
Although cybersecurity compliance and data security compliance are technically two separate things, they’re closely related. That’s because many data privacy regulations require stringent cybersecurity measures to help keep sensitive personal data secure. For example, the GDPR is a well-known regulation that requires organizations to implement security measures to help secure data both while at rest and in transit.
6. 46% of Medical Device Companies Say They’re Compliant With Cybersec Regulations & Standards
Alright, we’re over half way through our list of cybersecurity compliance statistics. Data from the product security platform Cybellum shows information that should be very disconcerting to, well, everyone. According to their 2022 data, more than half of surveyed medical device companies think they’re noncompliant with industry guidelines, standards and regulations. Medical devices span the gamut, covering everything from devices used in hospitals to personal devices implanted within patients’ bodies.
For example, 2022 data from Palo Alto Networks’ Unit 52 research team shows that 75% of the infusion pump devices they studied had known security issues. But what makes matters worse is that more than half (52%) had two known vulnerabilities with “critical” and “high” severity scores. Considering that many of these devices have lifespans of eight to 10 years, imagine the issues and risks that can result from relying on insecure legacy devices.
7. 80% of Medical Device Manufacturers View Device Security as a “Necessary Evil”
Remember when you were a kid and your parents assigned you chores you didn’t want to do? If you were like most kids, it means you likely did the absolute minimum required just to get the job done. There was no pride in it, so you didn’t want to put in extra effort to go above and beyond on the task. The same can be said about some medical device manufacturers.
Data from the same Cybellum report shows than more than three-quarters (78%) of respondents say they only do the minimum to achieve compliance. This is slightly less than those who view regulators imposing device security as a “necessary evil” of the industry. Basically, it’s something that just has to be done and that’s just the way it is.
8. More Than 22 Billion Records Were Exposed on 4,145 Publicly Disclosed Breaches in 2021
Oh, boy. This next bit of data from RiskBased Security is a real doozy. Their 2021 Year End Data Breach QuickView Report shows that more than 22 billion — yes, billion with a b — records were exposed in 2021 alone. What makes this number even more disturbing is that it represents just the publicly disclosed breaches. This doesn’t include breaches that have gone unreported or haven’t yet been discovered.
Unfortunately, there’s really no way to know just how many breaches those unknown incidents represent (for obvious reasons). But these incidents would be far less likely to happen if more businesses strictly adhered to compliance requirements and industry best practices.
9. 23% of Organizations’ Public Cloud Security Incidents Resulted From Misconfigurations
One of the most important aspects of compliance is ensuring that your systems are properly configured to meet standards or regulatory requirements. But research from Check Point’s 2022 Cloud Security Report shows that nearly one-quarter of the security incidents they studied in the previous 12 months involving public cloud infrastructure resulted from poor configurations.
Considering that their research shows more than three-quarters (76%) of organizations use two or more cloud providers, this is particularly startling. If companies have issues configuring one cloud environment, then it’s likely that they’re going to have more issues trying to juggle multiple simultaneously.
10. 39% of Companies Rank Compliance as One of Their Top Three Day-to-Day Headaches
Let’s continue on with the cloud compliance considerations (yay for alliteration). Last but not least on our list of cybersecurity compliance statistics is one final piece of data from Check Point. The company’s research shows that nearly two-fifths of organizations list compliance as their second biggest challenge, following a lack of qualified personnel (45%) that ranked No. 1. But concerns don’t just stem from achieving compliance; other cloud compliance concerns relate to:
- Maintaining compliance,
- Dealing with audits and risk assessments, and
- Implementing automation regarding compliance-related activities.
What Types of Data & Cybersecurity Regulations Do You Have to Be Compliant With?
The answer to that question depends on a few critical factors, including your organization’s physical location, specific industry, or other important considerations.
Location-Based Cybersecurity Compliance Regulations You Need to Know
Much like the cultures that exist within different geographic areas, data security and privacy regulations also vary from one country or state to the next. Countries and their governments tend to have different interpretations of what “cybersecurity” and “data security” and “data privacy” all entail.
According to the United Nations Conference on Trade and Development (UNCTAD), 156 countries (80%) have enacted some type of cybercrime legislation. Furthermore, of the 194 countries they evaluated:
We’re not throwing together a comprehensive list here because that would take a long time. Instead, we’ll quickly cover a few examples of some of the different cybersecurity compliance regulations that companies and organizations must keep in mind based on their geographic locations:
- Data Security Law of the People’s Republic of China — This Chinese law relates to many activities regarding data processing and data security of Chinese citizens. Articles 45-48 impose fines that start at the equivalent of just under $15,000 U.S. but span upwards of just under $1.5 million. Violations also can result in companies losing their permits or licenses.
- General Data Protection Regulation (GDPR) — This European Union regulation is one that applies to businesses both in the EU and abroad if overseas companies are handling data of people located in an EU member state. GDPR Article 83.5 says that especially severe violations can range up to €20 million or up to 4% of “total worldwide annual turnover of the preceding financial year, whichever is higher.” For less severe violations, these amounts of halved.
- California Consumer Privacy Act (CCPA) — The CCPA is a United States law that protects the security of personal data relating to California state citizens. This can result in fines and penalties ranging from up to $2,500 per unintentional violation to upwards of $7,500 for each intentional violation.
For a look at some location-based cybersecurity regulations, be sure to check out this comprehensive list from the National Conference of State Legislatures (NCSL).
Industry-Based Cybersecurity Regulations
We’re not going to cover all regulations as there are way too many to get into in a single article. We’ll just list some of the major ones:
- Gramm-Leach-Bliley Act (GLBA) — This law applies to financial industry organizations and institutions in the U.S. Violations of this act. It’s enforced by the Federal Trade Commission (FTC) and can include federal civil and criminal penalties.
- Health Insurance Portability and Accountability Act (HIPAA) — Violations of this healthcare-related law can cost businesses and organizations up to $50,000 per violation or upwards of $1.5 million per year for multiple violations.
- Payment Card Industry Data Security Standard (PCI DSS) — This one is a bit different in that it’s not actually the Payment Card Industry council that’s imposing the penalties. Rather, it’s up to the individual credit card companies (American Express, Discover, MasterCard Visa, etc.) to implement these fines and penalties themselves, which they can do on a monthly basis. These fines can range from $5,000 to upwards of $100,000 per month, according to ComplianceGuide.org.
To learn more about data privacy and encryption laws, be sure to check out our article.
Final Thoughts on the Importance of Cybersecurity Compliance
As you can see based on these key cybersecurity compliance statistics, being compliant with cybersecurity regulations and laws is critical for businesses, organizations, customers and other stakeholders. Without trying to be compliant with industry standards, you leave yourself and your sensitive data exposed to potential theft, manipulation and other forms of compromise.
If you’re noncompliant with cybersecurity compliance requirements but report otherwise, you may be found liable under the False Claims Act. One U.S. contractor organization found itself in this unenviable position earlier this year.