Cybersecurity and Compliance Programs in a Recession? (Yes. Here’s Why.)

Julie Butterfield October 26, 2022

With experts forecasting that a recession is looming, many businesses might be making tough choices about what’s important to their bottom line.

We talked with our Director of Compliance Strategy, Eric Ratcliffe, about the make-or-break effect cybersecurity measures and compliance programs can have on a business and why it’s not the time to cut back on them.

Amid the economic turmoil right now, some businesses might be making difficult budget decisions—are you having those conversations with people?
We certainly are. As budgets become tighter, it seems to be a common question: Do I really need to do all of this from a cybersecurity and compliance perspective? In my opinion, the costs of cybersecurity and compliance programs should remain an uncuttable expense. Regulatory requirements and vendor requirements have only increased in the past few years. Along with that increase, cyber threats are also on the rise. Evaluate your risk assessment program: Can you accept any risks that in the past were not acceptable? Can you find ways to leverage your third-party audit and compliance requirements?  Discuss these topics with your audit firms as well as your customers, but now is not the time to be less secure and less prepared to protect your environment from bad actors.

If a company is considering scaling back, what are some reasons cybersecurity and compliance improvements—and monitoring—should remain in the budget?
First, it helps to understand the differences between cybersecurity and compliance and how they tie together. Cybersecurity refers to the implementation of effective controls to protect company digital assets, where compliance is a way to ensure controls are working as designed to meet contractual or third-party regulatory requirements. Cutting your budget in these areas can lead to lost revenue because you may not be able to meet—or prove that you are meeting—customer and/or regulatory obligations, which may also prohibit you from bidding on new projects. For example, when you must have SOC 2, PCI, ISO, etc. to meet minimum vendor due-diligence requirements, but have discontinued your compliance program, you’ll be forgoing the opportunity to even bid on that new project.

Which is more expensive—a data breach or improving your cybersecurity and compliance programs?
Some reports indicate that the average cost of a reported data breach in the U.S. has risen to $4.35 million. For the small business market, I have seen reports indicating a range of $120,000 to $1.24 million. The cost to make improvements in security controls is minimal compared to the cost of a breach, considering a breach can impact reputational risk, cause a decline in customer confidence, and lead to a loss of business. These breaches can be game-enders, rendering businesses unable to survive financially—it’s been reported that 60% of small businesses end up closing within six months of a cyberattack. While building or maturing your cybersecurity and compliance program is no guarantee that you can avoid a breach, it will certainly help in both preventing and surviving.

What can a company do to create budget-friendly cybersecurity and compliance programs?
Start by understanding what your customer and regulatory obligations are. Discuss these obligations with your assessors as well as your clients to see if they can be flexible. Do you really need to complete an annual HITRUST, SOC 2 and PCI assessment? Will your customers agree to accept one of these? If not, can your assessor complete all of these at one time to leverage interviews, collect evidence, and help streamline the process? In most cases this will reduce assessor fees as well as internal resources’ time and effort, so they can focus on other tasks.

How does 360 Advanced work to make your cybersecurity and compliance solutions affordable amid a recession?
The professionals here at 360 Advanced help you leverage what you can by recommending that you line up your audits together, so you save time and money. We also suggest that you update your risk assessment and ask yourself if risks have changed. Can you accept certain risks today that you could not in the past? For cybersecurity, evaluate the tools and technologies being used—are they dated and needing to be replaced? Some of the new tools and technologies are increasing protection and may be able to replace and strengthen your security, all while saving you money. Contact 360 Advanced so we can review your cybersecurity and compliance plans and make suggestions to streamline your process as much as possible.