There is a misalignment between data privacy regulation spending and business outcomes, according to Tanium research. Specifically, as businesses spend tens of millions on compliance, over 90 percent have fundamental IT weaknesses that leave them vulnerable and potentially non-compliant.
The global study of 750 IT decision makers revealed that organizations have spent on average $70.3 million each to comply with the GDPR, the CCPA, and other data privacy regulations over the past year.
Most businesses have hired new talent (81 percent), invested in workforce training (85 percent) and introduced new software or services (82 percent) to ensure continued compliance.
In addition, 87 percent of organizations have set aside or increased their cyber liability insurance by an average of $185 million each, to deal with the potential consequences of a data breach.
However, despite this increased investment, businesses still feel unprepared to deal with the evolving regulatory landscape, with over a third (37 percent) claiming that a lack of visibility and control of endpoints is the biggest barrier to maintaining compliance with regulations such as GDPR.
Increased spending not solving visibility challenges
This lack of visibility into how organizations see and manage endpoints such as laptops, servers, virtual machines, containers and cloud infrastructure causes major challenges. In fact, the study revealed major visibility gaps in the IT environment of most organizations prior to the pandemic.
Ninety four percent of IT decision makers have discovered unknown endpoints within their IT environment, and 71 percent of CIOs said they find new endpoints on a weekly basis.
Mass home working and employee use of personal devices is likely to exacerbate these problems, expanding the corporate attack surface. When compliance relies on understanding what tools you use, what endpoints you have and what data you hold across the entire organization, these visibility gaps are dangerous.
Chris Hodson, CISO at Tanium said, “While it’s encouraging to see global businesses investing to stay on the right side of data privacy regulations, our research suggests that their good work could be undermined by inattention to basic IT principles.
“Many organizations seem to have fallen into the trap of thinking that spending a considerable amount of money on GDPR and CCPA is enough to ensure compliance. Yet without true visibility and control of their IT assets, they’re leaving a backdoor open to malicious actors.”
What is causing visibility gaps?
The majority (91 percent) of respondents acknowledged fundamental weak points within their organizations that are preventing a comprehensive view of their IT estate.
These visibility gaps are being caused by a lack of unity between IT, operations and security teams (39 percent), a lack of resources to effectively manage their IT estate (31 percent), legacy systems which don’t give them accurate information (31 percent), shadow IT (29 percent) and too many tools used across their business (29 percent).
The research found that firms have implemented an average of 43 separate security and operations tools to manage their IT environments. Tool sprawl like this further limits the effectiveness of siloed and distributed teams, adding unnecessary complexity.
Tech leaders are concerned about the consequences
In the study, IT leaders cited concerns that limited visibility of endpoints could leave their company more vulnerable to cyberattacks (53 percent), damage the brand reputation (39 percent), make risk assessments harder (33 percent), impact customer churn (31 percent) and lead to non-compliance fines (23 percent).
Respondents also revealed a false sense of confidence when it came to compliance readiness. Ninety percent of IT decision makers said they were confident of being able to report all required breach information to regulators within 72 hours. But with nearly half (48 percent) reporting they have challenges in getting visibility into devices on their network, this confidence appears to be misplaced — a single missed endpoint could be a compliance violation waiting to happen.
Chris Hodson, CISO at Tanium concluded: “GDPR and CCPA represent the beginning of a complex new era of rigorous data privacy regulations. Although some regulators have postponed large fines due to the current pandemic, it doesn’t defer the requirement for companies to ensure personal information is stored and processed using the strictest safeguards.
“Technology leaders need to focus on the fundamentals of unified endpoint management and security to drive rapid incident response and improved decision making. The first step must be gaining real-time visibility of these endpoints, which is a crucial prerequisite to improved IT hygiene, effective risk management, and regulatory compliance. With most teams working from home these days and many having to use their own devices, this has never been more important.”