IT Risks Seem to Be Outpacing Organizations’ Risk Management Capabilities
The coronavirus pandemic has created new risks and amplified existing risks
- The shift from working in offices to working from home elevates security risk. New technology risks come from the use of personal devices, new unsecure networks, and new apps that support remote collaboration. For instance, while Zoom has been in business since 2013, its popularity skyrocketed during the coronavirus pandemic of 2020. In March 2020, Zoom was seeing 200 million daily meeting participants; in April it was 300 million. This compares to 10 million in December 2019.
- Cyber attackers in 2020 refined their methods to take advantage of the COVID-19 pandemic and the adoption of new technologies used for remote work. In fact, online crimes reported to the FBI’s Internet Crime Complaint Center (IC3) have nearly quadrupled since the beginning of the COVID-19 pandemic.
- By end of 2020, a failure to figure out how to support remote work without exposing sensitive information led to nearly 25% of organizations paying unexpected costs to address cybersecurity breaches and malware infections.
- Recession pressures, such as budget and staffing cuts, have made security and fraud risks more pronounced.
The rise of cloud-based tech vendors: More third parties are touching corporate data
- Organizations in 2020 relied heavily on third-party IT systems within their businesses. BeyondTrust research found that the average organization has 182 vendors that connect to its systems each week. The same survey found that 58% of organizations believe they have incurred a vendor-related breach.
- Meanwhile, most companies don’t have enough visibility into their third parties. A 2018 Ponemon Institute study found that 57% of respondents did not know their organizations’ vendor safeguards were sufficient to prevent a data breach (Ponemon Institute 2018). And just 34% of respondents even had a comprehensive inventory of all their third parties touching their data.
Regulations around cybersecurity and data privacy are on the rise
At this time, organizations face an increasing number of regulations that legally require them to implement security and privacy safeguards to keep their customers’ information secure and confidential. Together, an interlocked thicket of regulatory obligations is affecting how businesses handle sensitive data. These regulations extend to the third parties working on a company’s behalf. And regulators require organizations to prove their compliance with demonstrable evidence.
- In the fall of 2020, the DOD rolled out a new cybersecurity requirement for all DOD contractors and suppliers called the Cybersecurity Maturity Model Certification (CMMC). Instead of accepting companies’ self-assessment on security questions as valid, the DOD will only conduct business with contractors who have passed third-party audits for the appropriate CMMC level going forward.
- In January 2020, the state of California rolled out the most comprehensive state-level data privacy regulation seen to date: The California Consumer Privacy Act.
- Although the U.S. doesn’t have a national privacy law yet, multiple bills have been introduced in the past two years and both parties agree on the broad strokes (e.g., SAFE DATA ACT, U.S. Consumer Data Protection Act, Filter Bubble Transparency Act). The signs show that the next term of Congress may pass a nation-wide data privacy and security law that rivals the EU’s General Data Protection Regulation (GDPR).
- Of 1,029 security and GRC professionals Hyperproof surveyed in December 2020, 86% of respondents from the U.S. are preparing for the potential passage of a federal data privacy and security law in the U.S. in the next few years and have factored this into their 2021 IT compliance budget.
- Since the GDPR was introduced in 2018, countless organizations have made headlines for violations. As of December 2020, data protection agencies within the EU have handed out 300 fines for GDPR violations. Between July 2018 and June 2019, an average of 5 fines were handed out each month. But, between July 2019 and June 2020, an average of 18 fines were handed each month. That’s a 260% increase.
Companies’ Current Approaches to Managing IT Risks
- 92% of tech companies surveyed by Hyperproof in December 2020 reported using a risk management standard framework, such as ones developed by NIST and ISO (Hyperproof’s 2021 IT Compliance Benchmark Survey).
- 78% of tech companies surveyed by Hyperproof in December 2020 said their organizations have identified clear roles, responsibilities, and owners for various risks.
- 71% of tech companies surveyed by Hyperproof in December 2020 said their organization conducts risk assessments on a regular cadence (Hyperproof’s 2021 IT Compliance Benchmark Survey)
- 35% of tech companies surveyed by Hyperproof in December 2020—the biggest group—said that their organization manages IT risk in an ad-hoc fashion, only when a negative event happens. Another 28% reported that IT risks are managed in siloed departments, processes. and tools (Hyperproof’s 2021 IT Compliance Benchmark Survey).
Challenging Activities With IT Risk Management
Hyperproof surveyed 1,029 IT security and security GRC professionals in December 2020. We used industry research to identify a set of controls, or practices and procedures, to manage IT risks and asked respondents to rate how well they’re doing in implementing each of the following items. It turns out that companies have lots of room to improve.
- 44% of respondents admit they need improvement in identifying existing controls built to address certain risks
- One entire half of respondents admit they need improvement in validating controls against standard controls in compliance frameworks (e.g. NIST, ISO).
- One half admit they need improvement in aligning controls with risks
- 44% said they need improvement in monitoring controls and automated controls testing
- 48% they need improvement in activities related to flagging exceptions, reviews, and remediation
- 44% need improvement in assessing their controls’ effectiveness
- 42% need improvement in capturing, tracking and reporting deficiencies
Challenges With Vendor Risk Management
The same Hyperproof survey asked respondents “What are your challenges or top struggles when managing the risk associated with third parties?” Respondents admitted that their third-party risk management programs still have plenty of room to mature:
- Visibility into the true risk profile of third parties is still low: 55% of respondents felt challenged in getting complete accurate risk information about their vendors
- 51% of respondents stated that collecting risk information on third parties is manual and time consuming
- 41% of respondents struggle to monitor their third-parties on an ongoing basis because they don’t have sufficient data to monitor effectively
- 23% of respondents do not know who within their business “owns” or operates certain third-party software
- 22% of respondents have gaps in knowing what sensitive information resides within third-party systems their employees are using
- 45% of respondents stated that managing remediation projects is time-consuming
Ponemon Institute and CyberGRX surveyed over 600 IT security professionals in 2019 to learn about the cost and efficacy of the tools and processes used to conduct third-party cyber risk management today. The key findings from that survey include (The Cost of Third-Party Cybersecurity Risk Management 2019, full report):
- Organizations spent 15,000+ hours on completing assessments each year
- Enterprises aren’t getting insights: 54% say data is only somewhat valuable; less than 8% of assessments result in action
- The cost of failure is high: 70% believe the cost of failure is $13 million (costs include impact on reputation and brand, decrease in share value, loss of business, etc.)
- $2.1 million is the average annual spend on vetting third parties. Yet, 64% say the processes used are somewhat or not effective.
- 40% of organizations use manual procedures like spreadsheets and 51% deploy risk scanning tools to vet their third parties; however 34% said these tools are only somewhat valuable while 20% said the results don’t provide any insights.
- If third-party security gaps are discovered, organizations are not proactive in mitigating these risks. Only 24% of respondents say their organizations collaborate with third parties to improve their security measures. Most often organizations will request—not require—mitigation of security gaps.
Challenges With IT Compliance
During Hyperproof’s 2021 IT Compliance Benchmarks Survey, we asked respondents to think about their day-to-day activities related to IT risk and compliance management and estimate how much of their time is spent on low-level administrative tasks.
- Virtually all respondents (93%) spend at least 20% or more of their total time on administrative tasks. In other words, one whole work day every week, or two-and-a-half months every year, is wasted on routine administrative tasks.
- A full half of all respondents spend 50% or more of their total time at work on low-level administrative tasks. This means that IT security and GRC professionals are left with little time to focus on high-value IT risk management controls designed to reduce risks.
- We asked respondents to tell us what tasks they find especially tedious: The three tasks selected most often as tedious are: 1) Locating documents and other information needed for the audit (52% selected); 2) Communicating with the auditor (52% selected this), and 3) Finding information needed to meet compliance requirements (51% selected this).
- One out of every five respondents are still using spreadsheets to manage their IT compliance efforts. However, compliance management software is gaining traction; 45% of respondents are using software specifically built for managing IT compliance efforts.
Joint research from Coalfire and Omdia Research in 2020 found that growing compliance obligations threaten to become unsustainable cost burdens—51% of those surveyed are spending 40% or more of their IT security budgets on compliance.
To get additional benchmarks on how organizations are managing IT risks in 2021, download Hyperproof’s 2021 IT Compliance Benchmarks Report.