A-LIGN’s Compliance Crosswalk podcast features discussions at the intersection of security, privacy, compliance, and risk management. On our fourth episode, hosts Blaise Wabo, Healthcare and Financial Services Knowledge Leader, Arti Lalwani, Risk Management and Privacy Knowledge Leader, and Patrick Sullivan, Vice President of Customer Success, share their thoughts and insights on A-LIGN’s 2022 Compliance Benchmark Report.
What is the 2022 Compliance Benchmark Report?
Our 2022 Compliance Benchmark Report offers insights into how your organization’s cybersecurity and compliance efforts stack up against other organizations across various industries.
We surveyed more than 700 cybersecurity, IT, quality assurance, internal audit,
finance, and other professionals about their compliance programs with the goal of gaining a better understanding of their organization’s position when it comes to compliance, including strengths, weaknesses, and opportunities.
What’s Changed in the 2022 Report?
There are common themes between the 2021 and 2022 Benchmark reports, including the fact that cybersecurity and compliance remain a top priority for organization’s across industries. Compliance is still a driver for winning new business and maintaining relationships with existing customers. Therefore, obtaining (and maintaining) certain certifications is still a major motivator for growing organizations.
However, there are noticeable differences between the reports as well. In 2021, 25% of those surveyed were using some sort of compliance software to either drive or to complete compliance assessments. But in 2022, we see close to 75% of organizations utilizing compliance software and platforms.
Patrick Sullivan speculates that this big jump can be attributed to organizations recognizing how important cybersecurity is and how urgently they need to act on minimizing threat levels. Even with the Great Resignation forcing personnel shifts, many organizations still devoted more of their resources to developing stronger business continuity plans to prepare for disasters or security incidents.
The Rise of Audit Fatigue
With so many third-party assessments offered and frameworks and regulations to follow, the experts at A-LIGN caution compliance experts to avoid “audit fatigue.”
Too many organizations view audits as a catch-all, building strategies around the audits they complete instead of the other way around. Before registering for assessments, organizations should take a step back and look at their compliance and security frameworks as a whole. Build a compliance strategy first, then pursue audits that meet the needs of that strategy.
“It’s possible to solve all of your problems but not have the solution you want,” Patrick explains, which is why organizations should determine what frameworks they actually need to follow before proactively pursuing them.
Cybersecurity Concerns in 2023
It’s not too early to start making predictions about which trends will become more prominent in the next year.
The 2022 Benchmark Report found the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to be one of the top three compliance services organizations are looking to lean more into in the following year.
HIPAA’s rise in popularity is a sign of the times. Following the height of the COVID-19 pandemic in 2020, the telehealth market saw a rapid rise in popularity. Organizations expanded services and brought on many third-party vendors, which unfortunately surfaced vulnerabilities and led to an increase in healthcare-related cyberthreats.
Blaise notes the value of healthcare data as a major driver for targeted attacks. He speculates that most of the hackers nowadays are not just looking for the money but are also looking for data that has real value—and there’s no better way to do that than infiltrating healthcare systems. In fact, the value of one health record on the black market is anywhere from $650 to $2,000 per record.
Beyond the healthcare industry, ransomware attacks are poised to become a more commonplace issue into 2023 and beyond. We’re predicting a rise in Ransomware as a Service — a practice where bad actors package ransomware into a kit. They can then sell this kit to a less sophisticated bad actor, granting that entity access to all of the tools needed to attack an organization’s network.
How Organizations can Start Preparing Now
While it’s hard to predict what exactly the future holds, perhaps the most important thing organizations can do is find a trusted partner to help address their cybersecurity concerns.
“Finding a trusted partner is definitely key,” says Blaise. Both compliance and cybersecurity require certain protocols for certain types of information, and for some, this can be a sensitive topic to broach. People should feel comfortable discussing their organization’s weak points with their security provider, and establishing a strong relationship before a cyberattack occurs.
Join Blaise Wabo and Arti Lalwani for episode five of the Compliance Crosswalk podcast, available in July.