Research Reveals Outdated Tools Present Compliance & Financial Hazards

A third of surveyed organizations maintain over 25 published policies and over two-thirds sustain over five policies. Yet nearly two-thirds of surveyed organizations use inefficient spreadsheets to manage their compliance process.

Tampa Bay, Fla.-based KnowBe4, which provides security awareness training and simulated phishing platforms to more than 18,000 organizations worldwide, revealed results from a survey of 1,872 cybersecurity professionals on compliance management.

The research, which found most organizations must comply with a large and growing number of compliance obligations outlined the increasingly overwhelming task. “Compliance is time-consuming and takes already limited staff time away from other tasks, it’s fraught with risk because of the potentially severe consequences associated with a failure to adequately satisfy these obligations. The report maintained the current processes in place in many organizations, including financial institutions, are not adequate to meeting current compliance obligations, nor are they scalable to meet future ones.

“It’s vital for organizations of all sizes to have the right tools to properly manage their varied compliance needs,” KnowBe4 CEO Stu Sjouwerman said. He explained why KnowBe4 created the KnowBe4 Compliance Manager, a SaaS product, to help many organizations replace outdated spreadsheets with an easier, more manageable solution to comply with so many regulations and laws. The CEO said KCM helps credit unions get through an audit in half the time and at half the cost.

Other key findings from the report included:

• The penalties associated with a failure to comply with the various regulations can be significant (such as GDPR’s up to €20 million or 4% of annual global revenue) and can create a variety of both financial and non-financial consequences.
• Most organizations surveyed must track a significant number of internal controls and business processes to become compliant with the various regulations and regulatory frameworks.
• Most organizations go through at least two internal and/or external audits each year, but more than 15% go through six or more such audits each year.
• Most organizations have either not evaluated compliance and audit management products (42%) or have done so in the past (40%), but 51% are interested in the use of SaaS-based compliance management applications.

Of course, none of these compliance matters would be an issue if hackers were not continually looking to obtain do damage and obtain data.

Sjouwerman demonstrated how easy it is for the bad guys to get in to a system by sending this reporter a spoofed email with a working link that outwardly looked like it came from Credit Union Times Managing Editor Natasha Chilingerian, who knew nothing about it. “I decided to send it as if it was her, just to let you know how easy it is for pretty bad guys to get to your inbox. “if I would have been a bad guy, it could have been malicious.”

KnowBe4, which provides thousands of credit unions with awareness training, staged the demonstration to show how important it is everyone, including credit unions, doing business to configure their email correctly. Sjouwerman said awareness is only a piece of the puzzle on being compliant. He noted credit unions generally have one compliance officer and most of them are still using spreadsheets to manage an increasing number of compliance controls.

“Compliance doesn’t automatically mean security. It starts as a baseline. But if you are too busy doing compliance and you do not have enough time to make sure you are secure then the solution becomes a problem,” Sjouwerman suggested.

Many organizations, including those in the financial services industry, are becoming overwhelmed with compliance issues. In the U.S. there are several important regulations that impose requirements such as the Securities and Exchange Commission, Financial Industry Regulatory Authority, Dodd-Frank Act, PATRIOT Act, and Gramm-Leach Bliley Act. The General Data Protection Regulation also recently imposed rules over data protection and privacy for all individuals doing business within the European Union.

“Most organizations use homebrew code or spreadsheets to keep track of all those controls and both of those are an invitation for our error,” Sjouwerman held. KCM, he added, will help them get much more control over that whole process, much less error prone and just save some time and money.