IT Cybersecurity Compliance Survey

4 in 5 respondents think following compliance frameworks is ‘very‘ or ‘extremely‘ important, the Hornetsecurity 2023 IT Cybersecurity Compliance survey finds.

Key takeaways from the 2023 IT Cybersecurity Compliance Survey by Hornetsecurity

• 78.8% of organizations are more concerned about compliance issues now than five years ago.
• 57.2% of organizations believe the burden of compliance falls on the IT department.
• 59.1% of respondents say that meeting IT compliance requirements impact IT departments’ day-to-day activities.
• 21.6% of organizations say they use automation tools to verify IT compliance requirements.
• 33.3% of respondents say the lack of reporting and auditing tools is the main reason why the cloud isn’t a reliable data storage solution for their organization.
• 81.7% of respondents believe they would gain ‘moderate’ to ‘extreme’ benefits from a new compliance management tool in Microsoft 365.
• 27.6% of SMEs employ a dedicated IT compliance officer.
• 35.3% of large organizations (1000+ employees) have received penalties for non-compliance, with the majority originating from Europe.

About the 2023 IT Compliance Survey

To keep up with the IT industry and cybersecurity trends, our Hornetsecurity team conducts regular surveys every few months. Each survey addresses specific topics relevant to the IT industry and businesses of all sizes operating from all across the world.The current IT compliance trend highlights a particular issue prevalent in modern business. Considering more businesses are shifting day-to-day operations to the digital world, the need to remain compliant with relevant laws, regulations, industry standards, and internal policies becomes necessary.

Speaking on the matter, Hornetsecurity CEO, Daniel Hofmann, said: “This new survey should be a wake-up call for businesses. The fact that more than half of companies are hindering the day-to-day work of IT departments through a lack of compliance staff and policies is a huge concern. It confirms our suspicion that there’s a widespread need for easy-to-use, compliance management solutions to enable companies to streamline data management and reduce the risk of data loss.”

IT compliance is a series of legal and internal requirements set by governments and official bodies of industries to ensure businesses and organizations protect sensitive information, maintain data integrity, and mitigate security risks. IT compliance encompasses a broad range of areas, including data privacy, information security, system reliability, and transparency.

Our 200+ survey respondents come from multiple roles within IT departments, regions, industries, and years of experience.

The Current IT Cybersecurity Compliance Landscape

The landscape of IT compliance is continually evolving as organizations strive to meet the stringent demands of an increasingly complex regulatory environment. With the rapid advancements in technology and the growing importance of data protection, IT compliance has become a critical focus for businesses across various industries.

One reason, in particular, is the growing emphasis on cybersecurity. Modern cybersecurity measures dictate the best practices for total security in the digital world for businesses and individuals. From cybersecurity solutions and backups to raising security awareness, businesses are finding it more and more difficult to navigate the digital world. Furthermore, the more we transition into the digital world, the more security incidents become commonplace.

However, as cyber threats continue to escalate, regulatory bodies are placing greater importance on organizations’ ability to safeguard their IT systems, infrastructures, and data from unauthorized access, breaches, and malicious activities. Modern compliance requirements often include implementing robust cybersecurity measures, conducting regular cybersecurity vulnerability assessments, and establishing incident response plans.

Another prominent aspect of the current landscape of IT compliance is the proliferation of regulatory frameworks. Governments and regulatory bodies worldwide have implemented stringent laws and regulations to safeguard sensitive information, promote data privacy, and mitigate emerging cybersecurity risks. Organizations must navigate a maze of requirements, ranging from general regulations like the GDPR and CCPA to industry-specific standards such as PCI DSS and HIPAA.

Unfortunately, the current landscape of IT compliance doesn’t tolerate failure, as failure to meet these laws and regulations could result in costly penalties. The nature of these penalties could be financial, license-related, or something else entirely.

Speaking on the matter, David Coolegem, Senior Manager at Sia Partners, said: “The fines of GDPR are big, but the reputational risk is likely to be bigger.”

Because of this, and the necessity to protect sensitive information, organizations are forced to meet government IT compliance regulations. Even if organizations entirely rely on cloud-based solutions, they still must adhere to the rules and laws put in place to protect customer data.

Pros and Cons of Following IT Cybersecurity Compliance Requirements

Cons of IT Cybersecurity Compliance

• Resource Intensive

One of the main cons of complying with IT compliance requirements is that it requires significant resources. From financial investments to hiring dedicated compliance officers and similar personnel, some businesses might initially struggle with the costs associated with compliance efforts.

• Complexity In Meeting Standards

IT compliance standards have gotten increasingly complex and stringent over the years. As such, staying current with the constant changes in compliance requirements can pose a challenge and a great burden on organizations.

• Impact on Innovation

To ensure compliance activities, businesses might have to divulge resources away from business operations and innovation departments. As such, there can be a potential impact on innovation.

• Hassle

The need to comply with compliance requirements can lead to compliance fatigue. In addition, compliance audits can be stressful and a hassle for many organizations, especially SMBs.

4 in 5 Organizations Are More Concerned About IT Cybersecurity Compliance Issues Now Than Five Years Ago

The main finding of our survey revealed a significant shift in organizations’ thinking and attitude regarding IT compliance compared to the past half-decade. Nearly 4 in 5 organizations are more concerned about IT compliance issues than five years ago.

Nowadays, stringent IT compliance laws and regulations leave very little room for errors. The survey’s finding underscores the evolving regulations landscape and the ever-increasing importance of data protection, data privacy, and data governance.

The survey’s findings imply that organizations are well aware of the potential security threats, such as phishing, lurking in the digital world. But more importantly, the potential risks associated with non-compliance. Several factors play a decisive role in today’s heightened compliance awareness.

First and foremost, IT compliance laws and regulations have gotten more rigorous and extensive. Governments and official industry bodies have emphasized the necessity to safeguard critical information and protect privacy rights. As well documented, a potential data breach poses a great risk to such information, hence why governments and official bodies have introduced regulations such as GDPR, CCPA, HIPAA, and many more.

Secondly, there’s been no shortage of high-profile data breaches and cybersecurity attacks on government and private organizations. Most damagingly, these attacks have captured the public’s attention and highlighted the consequences of falling victim to such an act. From financial to reputational damages, a data breach that results in customer privacy violations can be severely costly for organizations.

5 in 10 Respondents Think That Compliance With These Frameworks Is ‘Very Important ‘

Our survey found that the majority of respondents agree that compliance with these frameworks is important. While the vast majority believe it to be ‘very important‘ with 53.4%, only 28.8% believe it is ‘extremely important.’ But not every respondent shares such concerns. The survey found only 11.5% of respondents believing IT compliance is ‘moderately important,’ 4.8% finding it ‘slightly important,’ and only 1.4% answering ‘not important at all.’

The survey finding underscores an increase in recognition of the importance of such frameworks. Since these frameworks provide a comprehensive and structured approach to data protection best practices and measures, businesses and organizations can use the frameworks’ roadmaps to implement security features and controls, policies, and best practices to protect crucial information.

Paul Koziarz, President and General Manager of Regulatory Compliance at CSI, said: “Besides, without a compliance framework, some organizations might not implement any security practices at all (or at least until it is too late). Organizations must constantly challenge themselves to remain in full compliance and seek ways to go above and beyond to ensure the highest levels of security.”

The fact that more than half of the respondents believe compliance with such frameworks is at least important demonstrates a willingness and openness to widespread adoption and implementation of established compliance frameworks.

All in all, the finding underscores the growing recognition of the crucial role that compliance frameworks play in ensuring data security, privacy, and overall risk management within organizations.

6 in 10 Respondents Say Effort to Meet IT Compliance Impacts Day-to-Day IT Department Activities

According to our IT compliance survey, a significant majority of respondents perceive their efforts to meet IT compliance requirements to have a direct impact on the day-to-day activities of their IT departments. The finding highlights an increased influence compliance obligations exert on the operational aspects of modern organizations.

So what are the reasons for it? Today’s compliance initiatives force businesses and organizations to enact compliance policies and controls to adhere to government regulatory requirements. Furthermore, they create additional administrative overhead and drain IT department resources. What this does is take resources away from day-to-day IT activities.

As such, organizations admit the challenges IT departments face to strike a balance between compliance and effective operation. Our survey found that 57.2% of organizations believe the burden of IT compliance falls entirely on their IT departments.

Meeting IT compliance requirements also requires extensive documentation and record-keeping. Furthermore, there is a necessity to maintain accurate records and evidence of compliance with regulations. If these tasks are left to IT departments, it diverts attention away from crucial IT-related duties. Moreover, the increased administrative burden on IT departments hinders innovation, troubleshooting, development, and providing timely support to clients and customers.

But the troubles don’t stop there. Compliance efforts often require ongoing monitoring and assessment. Ensuring compliance is a continuous effort that requires adopting strategies to streamline the process.

2 In 10 Respondents Use Automation Processes to Verify IT Compliance

Our survey results indicate that only 2 in 10 (21.6%) respondents currently utilize automation processes to verify IT Cybersecurity compliance. Our survey also indicates that 4 in 10 (38.5%) of respondents use manual processes to verify IT compliance, while only 15.9% do not have any processes to verify IT compliance. This finding highlights a potential area for improvement in leveraging technology to streamline compliance activities and enhance efficiency.

When comparing manual and automation processes for compliance verification, there’s an obvious winner: the latter. Automation streamlines the entire IT compliance verification process from start to finish. Moreover, automation minimizes human errors, reduces manual efforts, and enhances accuracy and consistency.

Automation tools for IT compliance verification offer tracking and monitoring capabilities. These tools can perform checks and audits and identify potential non-compliant areas to improve. Unfortunately, the low adoption of these tools actively hinders businesses and organizations. The low adoption also suggests that most respondents rely on manual verification methods. Therefore, an obvious solution would be to use automation tools for greater efficiency.

If automation saves time, manual means only cost organizations in the short and long term. In addition, manual verification means can be resource-intensive and prone to inconsistencies and errors. Finally, manual processes often require dedicated personnel to perform audits, checks, and write compliance reports.

1 in 3 Respondents Says ‘Lack of Effective Reporting and Auditing Tools’ is the Main Reason the Cloud Cannot Be Used to Store Data

Our survey indicates an alarming 1 in 3 respondents identified the ‘lack of effective reporting and auditing tools’ as the primary reason preventing them from utilizing the cloud as a storage solution for their data. This finding sheds light on a significant concern that organizations face when considering cloud adoption and highlights the importance of robust reporting and auditing capabilities in cloud environments.

The finding raises concerns, especially when considering our previous survey, where we found that 93% of the IT industry will adopt cloud tech within five years.

This doesn’t come as a surprise, considering cloud storage is inherently beneficial as it offers remote accessibility and scalability and is cost-effective for organizations. However, it might not be the best option when entrusting your most sensitive data to cloud providers right now. To ensure regulatory compliance in a cloud environment, organizations must have adequate reporting and auditing tools, which our survey finds cloud service providers are missing.

Without proper auditing and reporting tools, organizations lack visibility into how their data is handled, processed, and accessed in the cloud. Furthermore, data protection is another area of concern when storing sensitive data on the cloud. When facing possible data breaches and security incidents, the lack of auditing tools makes identifying threats and tracing their origins impossible.

Simply put, there’s no way to investigate potential breaches and incidents, meaning organizations increasingly hesitate to entrust their most sensitive data to cloud service providers. To address such concerns, cloud service providers must integrate third-party auditing and reporting tools or develop their own. That way, organizations will gain insight into how their data is handled, accessed, used, and modified. In addition, cloud service providers must implement security features that protect organizations’ data.

4 In 5 Respondents Say Their Organization Would Gain ‘Moderate’ to ‘Extreme’ Benefits from Using Easier Compliance Management Tools in Microsoft 365

The survey results reveal a compelling finding: 4 in 5 respondents believe their organization would experience a ‘moderate’ to ‘extreme’ benefit from utilizing easier compliance management tools in Microsoft 365. This finding highlights the perceived value and potential impact such tools can have on enhancing compliance efforts within organizations.

Microsoft 365 is one of the most popular cloud-based services businesses and organizations use to enhance collaboration and productivity. It is used by millions of businesses worldwide to varying effects. Some use it for document sharing, while others use it on a much larger scale. But Microsoft 365 does support IT compliance management.

Popular compliance tools within the Microsoft 365 suite include the Compliance Manager, Auditing, DLP, eDiscovery, and Insider Risk Management, among others. Our survey found that 39.2% of respondents don’t use any available compliance tools in the Microsoft 365 suite. On the other hand, 35.4% use Compliance Manager, 33.1% use Auditing, 28.7% use various DLP features, 24.9% use the eDiscovery tool, 16.6% use Insider Risk Management, while 2.2% of respondents answered with ‘other.’

Diving deeper into Microsoft’s native compliance tools, 51.9% put ‘Lack of Internal Knowledge’ as the biggest problem for their organization when using these tools. A slightly smaller portion of respondents, 43.6%, put ‘Complexity’ as the biggest problem. The findings highlight a necessity for newer and easier compliance tools in Microsoft 365.

One advantage easier-to-use compliance tools in Microsoft 365 could have is the ability to streamline and automate compliance processes.

1 In 4 SMEs Employs a Dedicated Compliance Officer

Our survey also gathered information about respondents, such as their years of experience in IT, where they are based, and the business size. The survey revealed the majority of respondents (68.3%) were businesses with 1 to 50 employees. SMEs (small to medium-sized businesses) are defined as companies with 1 to 50 employees. Our survey found that 1 in 4 (27.6%) SMEs employ a dedicated IT security officer for IT compliance. On the other hand, 1 in 4 (24.5%) large businesses do not employ a dedicated compliance officer.

This finding revealed that compliance with IT regulations and standards is a critical aspect of business operations, regardless of the organization’s size. SMEs, in particular, may face unique challenges when managing compliance, as they often have limited resources, personnel, and expertise dedicated to this function.

Despite all that, employing a dedicated compliance officer can benefit SMEs in numerous ways. First and foremost, compliance officers are individuals with up-to-date knowledge and expertise in industry standards and best practices in IT compliance. Moreover, the role of compliance officers is to ensure organizations implement the relevant requirements applicable to their industry and measures to address them.

Compliance officers are also tasked with developing compliance policies and procedures unique to the organization’s needs. From internal controls to conducting risk assessments, compliance officers are becoming crucial roles in modern business. As a result, employing a dedicated compliance officer is a must for businesses of all sizes.

Large Businesses Are More Likely to Receive Penalties for Non-Compliance

Our survey also gathered information about respondents, such as their years of experience in IT, where they are based, and the business size. The survey revealed the majority of respondents (68.3%) were businesses with 1 to 50 employees. SMEs (small to medium-sized businesses) are defined as companies with 1 to 50 employees. Our survey found that 1 in 4 (27.6%) SMEs employ a dedicated IT security officer for IT compliance. On the other hand, 1 in 4 (24.5%) large businesses do not employ a dedicated compliance officer.

This finding revealed that compliance with IT regulations and standards is a critical aspect of business operations, regardless of the organization’s size. SMEs, in particular, may face unique challenges when managing compliance, as they often have limited resources, personnel, and expertise dedicated to this function.

Despite all that, employing a dedicated compliance officer can benefit SMEs in numerous ways. First and foremost, compliance officers are individuals with up-to-date knowledge and expertise in industry standards and best practices in IT compliance. Moreover, the role of compliance officers is to ensure organizations implement the relevant requirements applicable to their industry and measures to address them.

Compliance officers are also tasked with developing compliance policies and procedures unique to the organization’s needs. From internal controls to conducting risk assessments, compliance officers are becoming crucial roles in modern business. As a result, employing a dedicated compliance officer is a must for businesses of all sizes.

European Businesses Are More Likely to be Penalized for Non-Compliance Than Their North American Counterparts

Our survey also dived deeper into the nature of non-compliance penalties based on where respondents were geographically operating. Our findings showed that European businesses are more likely to be penalized for non-compliance, with 5.2% being already penalized compared to 2.9% of North American businesses. The survey results showed a remarkable finding. Namely, it highlights the difference in the regulatory landscape and the subsequent enforcement or compliance regulations between the two regions.

Although not by a significant amount, several factors contribute to the higher likelihood of non-compliance penalties for European businesses and organizations. The most significant factor is the implementation of stringent data protection regulations in the European Union. For example, the General Data Protection Regulation (GDPR) is a well-established data protection framework, and most businesses in the European Union must adhere to it.

Secondly, European regulatory bodies have taken a proactive approach to enforcing these compliance regulations, demonstrating a strong commitment to holding entities accountable in case of personal data breaches

North American Businesses Are More Confident Their Organizations Are Compliant Compared to Their European Counterparts

Based on our survey findings, North American businesses are more confident their organizations are compliant compared to their European counterparts, but only by a little. The survey’s results showed 92.7% of North American businesses are confident are compliant, compared to 87% of European respondents.

One key factor impacts the higher confidence among North American respondents. North America has a more unified regular landscape, especially the United States, due to being one country. On the other hand, Europe has country-specific laws and regulations regarding data protection. Oftentimes, certain regulations apply to specific countries or regions of Europe. In many cases, data protection laws and regulations in one country don’t apply in another. This unified approach hinders European entities when meeting regulatory requirements.

Secondly, it is perceived that European regulations are more stringent compared to North American regulations. This might lower the level of confidence among European entities. However, it’s worth mentioning that confidence levels do not reflect the actual compliance status among organizations from both continents. Furthermore, North American entities might not become compliant based solely on higher confidence levels.

To truly understand whether these entities are compliant, they must continuously evaluate their compliance measures and ensure practices can prevent risks that lead to data breaches and security incidents.

About the 2023 Hornetsecurity IT Compliance Survey Respondents

When it comes to years of experience in IT, 51.9% of respondents answered with ’21 years or more,’ 16.3% answered with ’16-19 years of experience,’ 13.95 with ’11-15 years of experience,’ 11.1% with ‘6-10 years of experience,’ and only 6.7% with ‘1-5 years of experience.’

Our survey also requested respondents to give accurate information about the size of their business (employee count). The majority, 68.3%, were businesses with 1-50 employees, while only 8.2% were businesses with 1000+ employees. The survey found 13.5% were businesses with 51-200 employees, 6.2% with 201-500 employees, and only 3.8% with 501-999 employees.

Lastly, our survey also asked participants where they were based. Europe was the dominant region with 55.3%, North America came second with 32.7%, followed by Australia and Asia with 3.4% and 2.9%, Africa with 2.4%, South America with 2.4%, and the Middle East with 1%.

FAQs