The Cost of Non-Compliance
“If you think compliance is expensive, try non-compliance.” former U.S. Deputy Attorney General Paul McNulty – June 2009
Paul McNulty really did say it best. Many organizations feel that the cost of compliance is too great a burden to undertake and run the risk of a catastrophic event. Taking out the ethical and moral issues, there are several risks the company runs if a successful cyber-attack on your organization, or any other breach of protocol due to non-compliance that can be very damaging to your business.
WHY DOES MY ORGANIZATION NEED TO BE COMPLIANT?
Compliance with regulations is designed to prevent bad things from happening. If you follow the rules, then your information should be protected. If you do not…bad things can happen. We equate compliance with having an insurance policy. The policy will only protect you if you have followed the rules. You really do not want to find out that your systems were not compliant after an attack.
IS COMPLIANCE THE SAME AS BEING SECURE?
No. You can be secure without being compliant and you can be compliant without being secure. Almost every major attack that has occurred in the past few years was not due to some major hole in security, or some gross disregard for compliance. It would be safe to say that the vast majority of organizations that have been attacked had some measure of compliance in place. The two are separate concepts that most people often get confused about.
Consider that a restaurant with a stove is required to have fire extinguishers (in case of fire). Having or not having the extinguisher is not going to make a difference on whether a fire starts or not. It may not make a difference if a fire starts, regardless. BUT…. having the fire extinguisher at the site can and should alleviate most minor fires. If a restaurant does not have the extinguisher, they are going to have a much more difficult time filing an insurance claim.
If your organization gets attacked and you had insufficient resources or procedures in place, you’re going to have a hard time defending your ‘adequate compliance measures’.
CAN WE GET FULLY SECURE IF WE ARE COMPLIANT?
No. There are some security measures that cannot be implemented if you want to function in business. If you lock down every computer and disconnect from the Internet, you’ll be safer, but you won’t be able to do your business. Compliance is about minimizing risk not removing it.
WHY WOULD MY ORGANIZATION GET ATTACKED?
EVERY organization is a target. Defense subcontractors are a much more valuable target because of the information that they have. Large or small, every organization is a target for various reasons. If you do not think it will happen to you, I have a bridge to sell you.
In 2020, Cybersheath conducted a survey of 200 senior executives of Defense Industrial Base (DIB) companies. Their findings are alarming, especially in light of the fact that many people will not admit to an attack, even anonymously.
- 21% had experienced a cybersecurity incident.
- 82% are generating and/or handling Controlled Unclassified Information (CUI).
- 7% were unaware of the Cyber Maturity Model Certification (CMMC).
- 33% of companies did not know which of the five levels they would need to be certified at.
- 54% outsourced security and other IT needs to third-party vendors. These vendors may or may not be aware of the compliance requirements.
WHAT PRECISELY ARE COMPLIANCE COSTS?
Compliance costs are ALL the expenses a company must incur to ensure that they have met all industry regulations. These costs are relevant to more than just the Information Systems in an organization. There are other areas that are overlooked when doing an analysis: payroll for compliance staff and consultants, legal fees, registration/reporting fees, and the cost of any changes that need to be made. To better understand this, think about GDPR requirements. Your organization needs to have a Data Privacy Officer, to develop or buy solutions to track user information and a system and process to remove user information on request.
WHY IS THIS SUCH A CRUCIAL ISSUE?
In a 2021 report from Tier 1 Cyber, over a quarter (27%) of companies admitted that they knew they were unprepared for a security event. Additionally, 12% of DoD prime contractors “had confidence in their sub’s cybersecurity posture”.
According to the National Defense Industrial Association (NDIA), a whopping 10% of the companies surveyed had NO dedicated personnel to IT and 44% admitted that they were “still working to meet NIST 800-171 requirements”. And, as expected, 20% of the organizations had no incident response plan.
AND NOT COMPLYING IS BAD?
Other than the fact that you have broken the law, violated your contract(s), and made false claims to the government, there are some penalties traditionally assessed after an ‘event’.
Tangible Penalties: These are things like monetary fines, legal representation when addressing the claims against the organization, personnel leaving the organization.
Intangible Effects: These can range from damage to reputation to (federal) prison sentences for employees AND employers. If you use subcontractors or are a subcontractor, you need to consider this.
Monetary Effects: Lost productivity, lost revenue, lower stock price. Loss of Intellectual Property.
Monitoring: Usually, penalties require some type of remediation plan. This needs to be created, agreed to, and often an external monitor needs to be put in charge of reviewing, training, and re-training staff and ongoing monitoring reports are satisfactory to ensure that your processes and policies are being enforced.
WHAT ARE THE REAL COSTS?
It is a given that any organization that quotes you a system review, an assessment, a remediation plan, or any other form of testing and/or validating your compliance is going to vary based on the size of the organization and the complexity of the systems.
WHAT IS THE RISK OF NON-COMPLIANCE?
Almost 40% of senior executives estimate the cost of an attack at more than one million dollars. That’s a conservative estimate and does not fully take into account the possible loss of future business, and damage to company reputation.
SO WHAT ARE WE SAYING?
Be compliant. Make sure you meet whatever compliance you need, whether you’re worried about DFARS, ITAR, EAR, HIPAA, or meeting NIST 800-171 Standards. Invest the proper time and energy in learning about your compliance needs. Take the time to hire a professional if needed. Take Paul McNulty’s words to heart. It will save you the headache, and the dollars.