The global study of 750 IT decision makers revealed that British organisations have spent on average £53.5 million each to comply with the GDPR, the California Consumer Privacy Act (CCPA), and other data privacy regulations over the past year. Most organisations have hired new talent (83 percent), invested in workforce training (88 percent) and introduced new software or services (76 percent) to ensure continued compliance. In addition, 89 percent of organisations have set aside or increased their cyber liability insurance by an average of £117 million each, to deal with the potential consequences of a data breach.
However, despite this increased investment, organisations still feel unprepared to deal with the evolving regulatory landscape, with over a third (36 percent) claiming that a lack of visibility and control of endpoints[1] is the biggest barrier to maintaining compliance with regulations such as GDPR.
Increased spending not solving visibility challenges
This lack of visibility into how organisations see and manage endpoints such as laptops, servers, virtual machines, containers and cloud infrastructure causes major challenges. In fact, the study revealed major visibility gaps in the IT environment of most organisations prior to the pandemic. Ninety three percent of IT decision makers have discovered unknown endpoints within their IT environment, and 71 percent of global CIOs said they discover new endpoints on a weekly basis.
Mass home working and employee use of personal devices is likely to exacerbate these problems further, expanding the corporate attack surface. When compliance relies on understanding what tools you use, what endpoints you have and what data you hold across the entire organisation – these visibility gaps are potentially dangerous.
Chris Hodson, Chief Information Security Officer at Tanium said, “While it’s encouraging to see global businesses investing to stay on the right side of data privacy regulations, our research suggests that their good work could be undermined by inattention to basic IT principles. Many organisations seem to have fallen into the trap of thinking that spending a considerable amount of money on GDPR and CCPA is enough to ensure compliance. Yet without true visibility and control of their IT assets, they’re leaving a backdoor open to malicious actors.”
What is causing visibility gaps?
The majority (93 percent) of respondents acknowledged fundamental weak points within their organisations that are preventing a comprehensive view of their IT estate.
These visibility gaps are being exacerbated by the following:
The research found that UK firms have implemented an average of 41 separate security and operations tools to manage their IT environments. Tool sprawl like this further limits the effectiveness of siloed and distributed teams, adding unnecessary complexity.
Tech leaders are concerned about the consequences
In the study, IT leaders cited concerns that limited visibility of endpoints could leave their company more vulnerable to cyberattacks (57 percent), damage the brand reputation (42 percent), make risk assessments harder (36 percent), impact customer churn (27 percent) and lead to non-compliance fines (34 percent).
Respondents also revealed a false sense of confidence when it came to compliance readiness. Ninety four percent of IT decision makers said they were confident of being able to report all required breach information to regulators within 72 hours. But with nearly half (46 percent) reporting they have challenges in getting visibility into devices on their network, this confidence appears to be misplaced — a single missed endpoint could be a compliance violation waiting to happen.
Chris Hodson, Chief Information Security Officer at Tanium concluded: “GDPR and CCPA represent the beginning of a complex new era of rigorous data privacy regulations. Although some regulators have postponed large fines due to the current pandemic, it doesn’t defer the requirement for companies to ensure personal information is stored and processed using the strictest safeguards.
“Technology leaders need to focus on the fundamentals of unified endpoint management and security to drive rapid incident response and improved decision making. The first step must be gaining real-time visibility of these endpoints, which is a crucial prerequisite to improved IT hygiene, effective risk management, and regulatory compliance. With most teams working from home these days and many having to use their own devices, this has never been more important.”