The auditor knocking on your door (often unannounced or with little notice) to validate your company’s compliance practices shouldn’t be a scary thing. But for many organizations, it can be. While it’s often the auditor that is painted as a big bad wolf, the obligation lies with the audited company to stay compliant for their organization and their clients.
An audit should be a time to showcase your business’s preparedness and processes for going above and beyond to protect your customers’ information and to ensure they have access to your services when they need them. Preparation should really take place for the better part of a year with daily reinforcement of procedures. More often, it is a mad scramble to get documents together and often employees are not entirely sure if they are abiding by compliance or not.
While this may seem like an easily fixable situation, simply winging an audit is not the way to go because the costs to you and your company can be far-reaching if you’re found to be in non-compliance. Your reputation, your bottom line, and the longevity of your business can all be at stake.
Why You may be in Non-Compliance
Few people start out with a goal of non-compliance, but it can happen to so many companies before they’re even aware of where they went wrong. If you’re just beginning to look intentionally at your compliance practices, here are some of the main reasons companies may fall short during an audit.
Lack of Education
Many companies will send out a surface-level employee training when they onboard and then never touch on data security again. Consider your employee with the longest tenure. It’s likely you have some team members that are now measuring their time with you in decades instead of years. Think about how much can change in 6-months alone and how much there is to learn as new technology comes to the forefront.
Time in the data protection and cybersecurity space behaves a lot more like dog years and the rates of change are only speeding up. With this in mind, it’s crucial to your success as a compliant company to take steps toward providing continuing education for your employees at least annually, or as you roll out new technology and services that may require their attention.
Furthermore, human error is one of the leading causes of cybersecurity issues, so if you are not educating your employees regularly about best cybersecurity practices, you are practically inviting a breach by ignorance alone. Accidental human error may not be one hundred percent preventable, but a good portion of it can be with appropriate education.
Lack of Resources
It’s possible that companies may not have the internal resources in place to dedicate to year-round audit preparation and compliance adherence. Most organizations do not have a Chief Security Officer, Chief Compliance Officer or Risk Manager on staff to run these efforts. They can be hard to recruit and costly to retain. Any other employee you throw at it probably does not have the bandwidth to split the responsibility of staying up to date on evolving standards, then actually implementing them across your organization.
In addition to the people element, compliance badges can be extremely costly to attain and maintain annually. From the IT equipment and redundancy required to the cost of the actual certificates themselves, it’s a major financial investment for the average organization. Studies show that remaining in compliance costs around $30 million per year for large financial institutions and $7.7 million for a pharmaceutical company.
But it’s important to remember that it is far less expensive to remain in compliance than it is to come back from non-compliance. A study by Corporate Compliance Insight shows that the cost of remaining in compliance is half the cost of non-compliance and the associated consequences.
Both the internal expertise required and the steep costs associated are major contributors to companies seeking out cloud and managed service providers that can take this burden on for them with proven expertise in this area. You can have peace of mind that they’ll get you a successful completion the first time around and with minimal heavy lifting on your side.
Lack of Documentation
It’s entirely possible you’re doing the right thing, but you’re not writing it down and therefore cannot prove you are in compliance. Lack of appropriate documentation can have a marked impact on the outcome of your compliance audit and can result in many, many issues for your company down the road.
As you develop your compliance plan, make sure that the guidelines for documentation are clear for every scenario you and your team may encounter. Regularly update your documentation protocols as compliance requirements continue to evolve. Add documentation as an agenda item when you are developing a continuing education plan for your team members.
The Costs Associated with Non-Compliance: The Measurables
Non-compliance is a costly mistake to make. Research from Corporate Compliance Insights shows that non-compliance can cost companies significantly more than they would spend on compliance, depending on the severity of the infractions and the damage sustained by any subsequent issues that may arise. This number is also projected to rise as compliance requirements change.
Fines
With some larger governing bodies, such as the FDIC and HIPAA, fines for being noncompliant range anywhere from $16,000 to $250,000. That’s anything from the annual salary of an intern to a C-Suite executive. Most companies would much rather reinvest that money into their people, rather than paying out for preventable mistakes.
Court Fees and Jail Time
Some larger governing bodies may also prosecute certain members of your team and they can be jailed for up to ten years, depending on the offense. These court processes are often lengthy, lasting anywhere from three to five years. Keep in mind that while many governing bodies impose a cap on the fines an organization can incur throughout a year, legal fees and settlement costs have no such ceiling.
Replacing Terminated Employees
In some companies or industries, employees may be terminated if they are found to have contributed to your organization’s non-compliant status. This is, in most cases, a reasonable response to mitigate future risks, especially if this has been a recorded pattern of behavior. That being said, it can be very expensive to hire, onboard, and train new employees in a way that further reduces risk moving forward.
It’s estimated that the cost of re-hiring one employee is about six to nine months of that employee’s starting annual salary, and the number only gets bigger as you move up the org chart. According to SHRM, replacing an employee who makes $60,000 per year could reasonably cost your company $45,000 to replace. If you have to replace multiple employees after a compliance incident, that number can swell astronomically, putting significant strain on that quarterly or yearly budget. Your team may be left short-staffed if you cannot afford to replace employees that had to be let go.
You should also be aware of the fact that job candidates are spending more time researching their employees now than ever before, so they will likely find evidence of your compliance mishaps. Many high-performing candidates will not want to take the risk of joining a company that may be making cuts or could have its activity suspended due to non-compliance.
Risk of a Cloud Disaster
They’re lurking everywhere and strike often without warning. Cloud disasters are one of the most expensive consequences of non-compliance, with a data breach costing, on average, $8.64 million in the United States. Between the manpower, time, and money spent recovering from a disaster, it’s no wonder that over one-third of small-to-mid-size businesses don’t recover.
At the end of the day, auditing bodies are not here to scare your organization into compliance under threat of devastating consequences. They are here to ensure organizations are taking appropriate steps to prevent and prepare for the event of a cloud disaster which could compromise your customers’ data. This alone, should be reason enough to strive for perfect compliance, no matter who you answer to during an audit.
Controls
If you’re found to be in non-compliance, the auditing body will likely make several suggestions of controls you can implement in order to get back into the realm of compliance. These can be anything from investing in a cybersecurity software to adding layers of physical security to your storage facility or office. Each of these items, if not already implemented, will come with a hefty price tag, especially if you have to rush the process to get it done in a set timeframe.
Lost Revenue
While non-compliance can come with its own set of immediately measurable consequences, lost revenue is a slow burn that can impact your business for years due to downtime, security threats, breach containment and a significant loss of customer trust. The lost revenue alone has the potential to threaten jobs, stakeholder interest and the ability of your business to function normally. Furthermore, you may be unable to afford some of the suggested controls and will further spiral into noncompliance.
Reputation
Let’s take, for example, the Equifax data breach. This massive issue of non-compliance is something that they have not been able to fully recover from, even after a few years. There are people who don’t know what Equifax does, but they could tell you all about their cloud disaster. And for this reason, they have lost many, many potential customers.
As the adage says, a reputation takes a lifetime to build and only seconds to destroy. Customer trust goes hand-in-hand with your reputation, especially when you’re working with sensitive customer information. The loss of your reputation as a trustworthy company could have a devastating impact on your business’s future.
3 Steps to Take to Become Compliant
If you’re starting to worry that you might be one of the folks making some expensive compliance errors, don’t despair. Here are three steps you can take to ensure that your company gets back on track to total compliance in order to protect your employees, customers and your organization’s reputation for the long-run.
1. Educate Employees Often
If you take nothing else away from this blog post, remember to set up a plan for your employees to remain up to date on compliance best practices for your company. Each industry is a little different, but there should be no less than one training per year, as most governing bodies update their compliance information at least yearly.
Take a holistic approach to educating your employees, covering topics such as cyber security, physical security, endpoint security practices, disaster recovery, and documentation of incidents. Cover all your bases so you not only pass your audit, but you are prepared in the event of an emergency.
2. Look at Physical Security
Physical security is an element of compliance that is often overlooked, especially in cybersecurity when critical infrastructure is not physically stored at your organization’s location. If someone were to break into your office, how easy would it be for them to access sensitive information? Develop a clear visitor policy and take measures to ensure after-hours security, be it a security guard or an advanced security system.
Data in the cloud has to be physically stored somewhere. Even if you’ve outsourced to a Cloud Service Provider, be sure to understand and document all of their physical security protocol and consult with your auditing body to ensure that your storage facility meets physical compliance requirements.
3. Your Cloud Service Provider Can Help with CaaS
If you did decide to outsource your infrastructure to a cloud or colocation provider, make sure to do a deep dive on their compliance history. A reputable partner should display several compliance certifications that are relevant to your industry. Many of these are transferrable to the customer, simply by nature of the business. If their facility adheres to the toughest compliance guidelines, then your level of protection goes up simply by housing your data and applications in that data center. Their compliance becomes your compliance, when many elements of an audit focus on network security.
If you and your employees are already stretched thin and can’t give your compliance practices and policies the time they deserve, it may be time to consider investing in Compliance as a Service (CaaS). A reputable CaaS provider will walk with you through the compliance process, providing framework, suggestions, and the all-important documentation you need to pass your audits.
LightEdge Stands out as Your CaaS Provider
Here at LightEdge, we believe everyone has the ability to be compliant. With our tailored Compliance as a Service (CaaS) solutions, we strive to give every organization the resources and support they need to pass their audit quickly and without incident.
Our team of experts will work with you to ensure that you are completely prepared for a compliance review before it happens so you can go about business as usual without wondering whether or not you will pass your audit. We have you covered through our security and compliance services, including risk management, information security, audit preparedness, and support direct from LightEdge’s CSO.