Companies Are Making Cybersecurity a Top Priority
Cybersecurity, also known as data security, is the top compliance priority of major corporations and organizations.
In its 2016 Compliance & Risk Report: CCO’s Under Scrutiny, global law firm DLA Piper, which advises companies on cybersecurity matters, encapsulated survey results of 78 in-house counsel and compliance officers. By far, the most universal compliance risks identified were cybersecurity and data breaches. 73% of respondents named cybersecurity as their biggest compliance risk, followed by data breaches (72% of all respondents). “Increased regulatory risk” was a close third at 64%. It came as no surprise that the survey results showed most company compliance resources were being spent on cybersecurity.
The concern appears to be growing. In another 2016 survey conducted by Bay Dynamics, a cyber risk analytics company that serves businesses, 30% of 126 surveyed board members of corporations with 2,000 or more employees considered cyber risk to be a “high” priority. In 2014, that concern was just 7%. In 2018, that concern is expected to rise to 44%, according to the survey. Note that survey respondents were given three choices—“high,” “mid-level” and “low”— in gauging data security priority. While most board members (56%) found data security to be a “mid-level” priority, its shift from 2014 was less dramatic than the “high” priority shift.
Knowing what other firms are doing in terms of data security can assist organizational cybersecurity compliance efforts. For better or worse, companies have to model their compliance programs after peers in their industries. Professor Sean J. Griffith of Fordham Law School has called this phenomenon “compliance creep.” It occurs when companies ante up their compliance programs because someone else may be “doing it better” under the watch of federal regulators. During a January 2016 symposium on The Changing Face of Corporate Compliance and Corporate Governance, Griffith explained, “The regulatory state enforced a vacuum. The feds are in it and it is just the way it is going to be, and we have to learn to live with that.”
Beyond regulator motivations, which tend to focus on external incentives (“follow the law, or else”), there’s practical value in knowing what other organizations are doing about data security. Data security threats, like shadow IT, ransomware, and password reuse, are rampant and constantly mutating, requiring active eyes.
For example, Verizon’s 2016 Data Breach Investigations Report brings together companies and data security experts to provide updates on cybersecurity threats. In one instance, Verizon analyzed millions of phishing scams and found that 30% of phishing messages were opened by employees. The 2014 report found that 23% of employees opened phishing messages. This rise makes sense when put in context. Insider negligence has been found to be the number one threat to a company’s data security, often arising from employees opening scam emails and files.
Verizon recommends providing “employees with awareness training and information so they can tell if there is something ‘phishy’ (couldn’t resist) going on.” For more information about data security awareness training, check out LawRoom’s white paper. LawRoom offers online compliance training to thousands of companies and universities.