Fail Your Cybersecurity Compliance Audit? Face a 10X Chance of Getting Hacked

Last year, the world spent more than $188 billion on cybersecurity to protect businesses, industries, and critical infrastructures against cyber threats.

Yet data breaches have not just persisted but surged, highlighting a gap between financial investments and the effectiveness of cybersecurity measures.

In a world where ransomware gangs are teaming up, hackers gain access to Microsoft’s source code, and millions of people face phishing attacks per year, it feels hard to have data on the internet for more than a few minutes before a threat actor will start attacking.

Amidst this backdrop of escalating threats, organizations’ readiness to respond with actionable plans must be more robust to remove the fundamental flaws in current cybersecurity strategies  — especially when it puts customer data at risk.

But at the heart of these problems lies the issue of compliance — or, more precisely, the lack of it.

According to Thales, a stark correlation has emerged between compliance audit outcomes and security breaches: 84% of organizations that failed a compliance audit had experienced a breach, with 31% occurring in the past year, compared to only 21% of compliant organizations reporting breach history and a mere 3% in the last year.

Advertisements

Moreover, the 43% of enterprises failing compliance audits last year were ten times more likely to suffer a data breach, underscoring the critical link between rigorous compliance standards and reduced cybersecurity risks.

This juxtaposition begs the critical question: Why is there such a disconnect between the sums spent on cybersecurity defenses and their success rate in thwarting breaches?

  • Enterprises failing compliance audits faced a tenfold higher risk of breaches than compliant ones.
  • 84% of non-compliant organizations reported breaches, compared to only 21% of compliant organizations.
  • 38% of organizations use automation for compliance and security controls, enhancing cyber defenses.
  • Although there has been a 27% increase in ransomware attacks, under-preparedness remains, as has poor attack planning.
  • While AI poses threats, 22% of enterprises plan to leverage GenAI for security enhancements within the following year.

Compliance as the Cornerstone of Cybersecurity Resilience

Insights from the 2024 Thales Data Threat Report reveal that compliance is emerging not just as a regulatory requirement but as the linchpin of effective cyber defense strategies. The survey unveils a striking disparity in organizations’ cybersecurity outcomes, directly correlating their compliance status with their vulnerability to data breaches.

The report reflects insights from nearly 3,000 individual contributors and managerial and executive respondents from 18 countries across 37 industries and explores their data security experiences, challenges, strategies, and outcomes. The biggest takeaway of this global survey was the link between a lack of compliance and dramatically increased attack risk.

  • 43% of enterprises confessed to failing a compliance audit last year, inadvertently positioning themselves at a tenfold greater risk of experiencing data breaches than their compliant peers.
  • 84% of non-compliant organizations report previous cybersecurity breaches, of which 31% faced such incidents in the last 12 months.
  • In contrast, compliance-conforming entities demonstrated a robust defense, with only 21% reporting past breaches and 3% encountering breaches in the preceding year.

Companies that Fail Compliance Audits Are the Ones Who Get Attacked

According to Thales, over 90% of IT professionals believe security threats are increasing in volume and severity – a significant rise from 47% last year.

According to a commissioned survey conducted in 2023 by Forrester Consulting on behalf of Tenable, 48% of cyberattacks experienced by UK organizations in the last two years were successful.

The same study found that just 60% of U.K. organizations were confident that their cybersecurity practices were capable of successfully reducing the organization’s risk exposure.

Bernard Montel, EMEA Technical Director and Security Strategist, Tenable, told Techopedia:

“This forces security teams to focus time and efforts on reactively mitigating cyberattacks rather than preventing them in the first instance.

“Looking at what’s behind the numbers, there are two main reasons that attacks are increasing.

“Firstly, every organization’s reliance on technology, and therefore the resultant attack surface, has and continues to grow exponentially across all industries, including education, public sector, healthcare, and so forth.

“Secondly, this is further compounded by the technical complexity of rapid cloud adoption as organizations look to capitalize on the functionality, scalability, and speed it delivers to introduce new/additional business opportunities.

“The final element of this increase in threats is a lack of skilled professionals.

“While the technology skills gap has been a recurring challenge for many years, recent reports suggest that this is particularly true in the cybersecurity sector. Organizations often share that resources are constrained with a lack of ‘good people’ to hire.”

Montel added a rise in ransomware groups focusing their attacks to target smaller organizations where, all too often, security practices can be less mature — offering an easy target.

He said: “For threat actors, compromising these organizations can be the first layer of a successful infiltration, facilitating further incursion into third parties.

“We have seen this a number of times in 2023,  where SaaS [Software-as-a-Service] organization’s systems were compromised and exposed data and systems of connected organizations.

“Attacks on small and medium-sized organizations (SMEs) will intensify as the infancy of their cybersecurity is exploited by a booming ransomware-as-a-service industry.

“SMEs invariably pay ransoms at a higher rate due to the severe impact it has on the continuity of their business  —because of their lack of recovery protocols.

“Having a continuity plan is important, but as more threat actors look to ransom data theft, threatening to expose sensitive and confidential information unless their demands are met, its akin to closing the stable door after the horse has left the barn.

“Organisations must shift focus to prevent attacks before they occur, weatherproofing their company against an increased pace of threat.”

Compliance, Ransomware, and Human Error: The Persistent Threat

According to the findings in the 2024 DTR, the vast majority (93%) of enterprises reported increased threats. Unsurprisingly, it identified malware, phishing, and ransomware as the fastest-growing attacks chosen by 41%, 36%, and 32% of respondents.

The report also underscores a shift towards integrating compliance with security measures, mainly through the automation of controls, which 38% of organizations prioritizing DevSecOps have adopted.

This approach signifies a proactive stance towards cybersecurity, blurring the lines between compliance and security to forge a united front against cyber threats.

Sebastien Cano, Senior Vice President at Thales Cloud Protection and Licensing, believes compliance is missing in building cyber resilience.

“If there’s one key takeaway from this year’s study, it’s that compliance is key. Companies that had a good hold over their compliance processes and passed all their audits were also less likely to suffer a breach.

 

“We’ll start to see more compliance and security functions coming together. This would be a huge positive step to strengthen cyber defenses and build customer trust.”

Security leaders are encouraged to champion this proactive and dynamic risk management ethos, leveraging compliance as a foundational pillar of cybersecurity resilience.

The data from the report shows the critical role of compliance in navigating the cybersecurity landscape and thriving within it, marking a significant step towards a more secure and trust-centric digital world.

Amidst the multitude of cyber threats, ransomware predictably stands out for its continued vicious efficacy and alarming growth rate.

The past year alone saw a 27% increase in ransomware attacks on companies, underscoring the threat landscape.

Even more concerning is the revelation that 8% of these afflicted organizations resorted to paying the ransom, a strategy fraught with its own risks and no guarantees of data recovery.

Also echoing previous years’ findings, human error remains the top culprit in data breaches, responsible for 31% of incidents. Additionally,  failing to apply multi-factor authentication (MFA) to privileged accounts is also a significant factor, according to 17% of those surveyed.

These recurring themes underscore a critical vulnerability in cybersecurity strategies: the human factor. As technological defenses become more sophisticated, the potential for human mistakes remains a constant and formidable challenge to data security.

Emerging Technologies and the Multicloud Maze

The complexity of managing security across multi-cloud environments adds another layer of difficulty for enterprises. The drive towards data sovereignty, with 28% of businesses identifying mandatory external key management as a primary strategy, reflects the growing importance of having control over data, regardless of its geographic location or the jurisdiction of cloud providers.

Looking ahead, the report also identifies artificial intelligence (AI) as a significant source of concern for IT and security professionals, with 57% viewing it as a potential threat vector. Yet, the silver lining appears in generative AI, with 22% of enterprises planning to integrate it into their security products and services.

This duality of technology as both a threat and a solution highlights the dynamic nature of cybersecurity challenges and the continuous need for innovation in defense strategies.

The Role of IT Professionals in Cyber Defense

Chris McKean, a NetApp solutions specialist, shared his reaction to the latest figures highlighted in the report with Techopedia.

“It’s no surprise that over 90% of IT professionals believe cyber threats are increasing in frequency and severity. Unfortunately, with ransomware on the rise, it’s a question of when, not if, businesses will be attacked.

 

“Technology is the central nervous system behind businesses – essential for keeping operations running smoothly. That also means the effect of a single cyber breach that brings down an IT system can be debilitating. That’s why having a strategy to recover IT systems is as crucial as protecting them.

 

“To achieve this, organizations must be ready to learn from evolving threats and adapt their security measures continuously. This way, organizations can help ensure IT systems are fortified from all sides, reducing the impact of any breaches for businesses.”

The Bottom Line

The insights from the 2024 Thales Data Threat Report serve as a wake-up call for enterprises to prioritize compliance, human error mitigation, and strategic adoption of emerging technologies.

However, the path to cybersecurity resilience is clear as technology empowers and exposes. It lies in a commitment to compliance, education to reduce human error, and the reasonable integration of innovative technologies.

Only by addressing these foundational aspects can businesses hope to stem the tide of cyber threats and protect their most valuable asset: data.

Advertisements

Related Reading

Related Terms

Advertisements
Neil C. Hughes
Senior Technology Writer

Neil is a freelance tech journalist with 20 years of experience in IT. He’s the host of the popular Tech Talks Daily Podcast, picking up a LinkedIn Top Voice for his influential insights in tech. Apart from Techopedia, his work can be found on INC, TNW, TechHQ, and Cybernews. Neil's favorite things in life range from wandering the tech conference show floors from Arizona to Armenia to enjoying a 5-day digital detox at Glastonbury Festival and supporting Derby County.  He believes technology works best when it brings people together.