IT compliance isn’t the most exciting topic in the world, nor is it one that the average person has a wealth of expertise in.
So it’s no surprise few businesses follow the standards they need to. IT security and compliance is often deprioritised, leading to vulnerabilities and slip-ups.
But failure to get on top of compliance puts your business at significant risk. You leave yourself subject to everything you don’t want: reputational damage, disruption and fines.
As our world becomes more digital, compliance is more crucial than ever, with stronger regulations coming into play. Soon, it will no longer be possible to survive as a business without compliance.
In this guide, we explore the cost of compliance versus non-compliance for your business and how to get it right.
Why does IT compliance matter so much for your business now?
The Cyber Security Breaches Survey 2024 found that half of all UK businesses faced a cyber security breach last year, up from 32% the year before. This number is only going to rise further.
As businesses become increasingly digital, they become more of a target for cyber criminals. Regardless of the size of your organisation, attackers can hack into your channels and endpoints, with the aim of stealing information.
Rapidly evolving technology has also enabled criminals to attempt more sophisticated targeting, at a greater scale. In the wrong hands, tools like AI can support malicious activity, leading to a barrage of attacks.
On top of this, new technology can leave you susceptible to breaches if they do not meet your security standards or if staff use them against company policy. For example, open AI tools can share your information with the public without you even knowing.
Given this changing landscape, the government in April 2024 announced new laws to protect businesses against cyber crime. The new laws put an emphasis on meeting minimum standards across systems and devices. The onus is on organisations to protect themselves as the outside risk increases. We can expect such laws and regulations to continue to emerge as cyber crime rises.
Aside from the increased risk facing businesses today, there’s the issue of costs and productivity. Following economic uncertainty, many leaders are fighting to cut costs. In some cases, this has led to IT budgets being minimised at the cost of true compliance.
However, compliance breaches can have costly implications for businesses, including fines. There are also knock-on effects to productivity and cost-efficiency if a compliance issue leads to outages or other disruption. This makes it harder for organisations to operate in a lean manner, detracting from their efforts to survive a tumultuous time.
Examples to learn from_
No business is exempt from the ramifications of non-compliance. Here are just a few stories from recent years, showing the real implications of a breach.
1. EasyJet
In 2020, airline EasyJet suffered a data breach affecting over 9 million customers. Hackers gained access to personal information including email addresses, travel history and passport details.
Following the incident, the ICO, the UK’s data protection watchdog, ruled that EasyJet had failed to implement appropriate security measures, leading to a GDPR violation. It issued EasyJet a record-breaking fine of £18.3 million.
2. Tesco Bank
In 2016, Tesco Bank was hit by a cyber attack in which hackers stole £2.26 million from customer accounts.
The FCA investigation found that Tesco Bank’s weak anti-fraud controls and failure to properly manage risks led to the breach.
In 2020, the FCA enforced a £16.4 million fine for breaching FCA regulations concerning customer protection and cyber resilience. This case highlights the long-term consequences of non-compliance, even after an incident occurs.
3. VARTA
In February 2024, German battery manufacturer VARTA had to halt production following a cyber attack. The attack closed five plants for several weeks after affecting IT systems and related production equipment.
While it has not been made public whether data was compromised in the attack, VARTA has since lowered their yearly targets, with the attack cited as an obstacle. This shows the impact non-compliance can have on productivity as well as costs.
These are just a few examples. You can see a list of known data breaches in 2024 here, showing you exactly how widespread and common they can be.
What is the cost of non-compliance?
We’ve spoken about the importance of compliance, but what exactly are the consequences if you don’t comply to IT security standards? We’ve put together a list of the implications you can expect.
Financial penalties_
If you breach regulations related to your industry, it can result in costly fines. Examples of these regulations include:
1. NIS2
NIS2 aims to improve cyber security across essential sectors like energy, transportation, waste management and healthcare.
For non-compliance, businesses face fines of at least €10,000,000 (around £8.8 million) or 2% of a company’s total global annual revenue, depending on which is higher.
2. GDPR
Data privacy regulations like the General Data Protection Regulation (GDPR) aim to protect the personal data of individuals.
Like NIS2, GDPR allows supervisory authorities to impose fines of up to €20,000,000 (around £17.6 million) or 4% of a company’s total worldwide annual turnover.
There may be more regulatory bodies who can impart fines depending on your industry, including the likes of the FCA.
As you can see from the figures, non-compliance can bring hefty costs that could substantially lower your profit margins or ruin your business altogether.
On top of this, if you do have to take part in a non-compliance investigation, you can expect to front any legal fees associated, worsening the financial impact.
Reputational impact_
Without trust, you don’t have customers. And without customers, you don’t have a business.
Unfortunately, non-compliance can harm your business reputation. If a customer has their data compromised by your business, they’re unlikely to trust you, buy from you and recommend you to others. This makes it hard to build continued brand loyalty, with knock-on effects to your revenue.
Data breaches can also bring negative press coverage that makes it difficult to attract new clients and investors, which can significantly stifle your success and growth potential.
Business disruption_
A cyber attack or data breach can derail your operations.
Depending on the nature of the attack, you may face outages or disruption. For example, if your IT systems are compromised, you might not be able to use them for some time. Instead, your business must resort to manual processes that take much longer.
In some cases, you’ll need to completely shut down parts of your business, if not your entire operations. This can lead to long-term disruption, meaning you miss deadlines and fall short of customer expectations.
As your IT team seek to resolve the issue, this eats up their resource, meaning other priorities fall behind. If you do have to undergo an investigation after an incident, this will further divert resources from your core activities. Staff will be expected to assist investigators, which can increase workloads.
Security vulnerabilities_
If your business isn’t fully compliant across your systems and processes, it increases the risk of an incident. Successful cyber attacks and data breaches are far more likely to occur.
There’s also a higher chance of sensitive information loss and resulting lawsuits if you accidentally leak private data.
These mishaps result in the costly fines we’ve already outlined, as well as ongoing legal costs. Cyber attackers may even hold you to ransom, resulting in further financial implications for your business.
Missed market opportunities_
Some sectors and markets are more highly regulated than others. If you are in a heavily regulated industry (such as the public sector), failure to be compliant can affect your ability to enter the market and gain market share.
Many clients will conduct due diligence before choosing your business. If you fail this due to your non-compliance, you will miss out on rewarding contracts and opportunities for growth.
Even if your business isn’t heavily regulated, it’s crucial to keep up to date on best practices and regulations. As cyber crime becomes more frequent, regulation is likely to become more common across every industry.
What is the cost of compliance?
Lack of IT budget is often cited as a reason businesses don’t stay on top of compliance. It is true that compliance comes as a cost – though this is far less than the expense and wider disruption of non-compliance.
In order to be fully compliant, you can expect costs associated with:
- IT resource: This may include recruiting internal experts or accessing the support of third-party professionals
- Training: Staff need to stay up to date with the latest regulations to abide by them, which requires regular training
- Software: In some cases, you may need to upgrade your technology to ensure it meets standards, which requires investment
- Auditing: It’s generally a good idea to get a professional audit to check your IT compliance, which will come at a small cost to your business. You may also wish to consult third-party legal advice
- Record-keeping: Preparing and submitting regular reports to regulatory bodies can be time-consuming and require dedicated personnel
Although each of these aspects carry a cost for your business, they do not reach the height of fines, legal costs, reduced productivity and reputational damage. It’s therefore far cheaper to be compliant than not.
How to build a culture of compliance_
Compliance isn’t something that you do once. It’s an ongoing culture across your business.
We’ve put together our top tips for building a compliance culture that ensures results.
1. Leadership commitment_
Management buy-in is crucial to ensuring compliance. If leaders can openly demonstrate their commitment to compliance and emphasise its importance, the rest of the business is likely to listen.
Consistently communicate the ‘why’ behind compliance, with focus on how it protects the company, employees and customers. If there are any changes or updates to your policies, make sure these are also widely communicated.
2. Invest in education_
Many employees won’t know everything about compliance. So, seek or develop programs specific to their job roles that provide up-to-date information on relevant regulations (like GDPR and NIS2).
Cyber Essentials is a great example of a certification worth pursuing. It’s a government-backed program, designed to help businesses improve their security posture. So, it’ll enable your staff to protect your business while demonstrating your compliance to the public.
Education should be ongoing as regulations and threats evolve. Regularly update training to ensure employees stay informed about the latest compliance requirements and best practices.
3. Maintain an open dialogue_
It’s crucial to create an environment where employees feel comfortable reporting potential security risks or compliance concerns. This gives you a chance to rectify issues before they have harsher consequences.
Consider creating anonymous reporting channels where people can freely feedback. You should regularly collect employee thoughts on existing policies and procedures to create a continuous feedback loop that empowers you to do better.
4. Have clear and accessible policies and procedures_
Any policy or procedure you create should be documented and made easy for any employee to understand. Aim to develop clear and concise IT security and compliance policies that all your employees can easily access when needed.
Remember to also regular review your policies and make updates as regulations change, so you’re always on the ball.
5. Leveraging technology and tools_
Fortunately, there are valuable solutions available that make it simple for businesses to ensure compliance. You will want to invest in security software that protects your data and enables you to meet at least the minimum requirements.
Some solutions, such as those with automation, can also streamline compliance tasks and reduce the effort required to tasks like reporting. This will save your IT team time, while ensuring you stay on top of compliance.
You can also utilise tools that simulate phishing attacks, helping you to test your defences and raise awareness among your teams.
6. Continuous improvement_
Compliance is never ‘done’. It’s a regular practice you need to live by. As you build this mindset, you’ll likely improve as you learn.
Start by scheduling regular audits to identify and address any gaps in compliance practices. You’ll also want to track key metrics related to compliance incidents and security awareness.
Your findings from the data can then be used to drive your strategy forward and address vulnerabilities.
Get on top of compliance today_
Total compliance is crucial to protecting your business against cyber attacks, reputational damage and costly fines. With cyber threats on the rise, it’s never been more important to ensure your business is meeting security standards and industry regulations.
Compliance requires you to have the skill and understanding to identify and follow best practice internally. It also requires you to have the right solutions that protect your security posture and move towards compliance standards.
Our Infinity UNBOUND: Get to Secure video series is a programme of bite-sized, expert-led sessions explaining how small businesses can gain compliance. Covering the current threat landscape, you’ll gain actionable advice to implement, backed by supportive solutions that enhance your resources.
