Companies need to improve cybersecurity compliance to fend off attacks

Cyber threats have increased in the last year and particularly in medium-sized companies, according to findings from a survey carried out by the Wall Street Journal.

The newspaper surveyed around 300 compliance professionals in February and March this year. Of these 36% worked in financial services, 13% in professional and business services, and 9% in the technology sector in the US and Canada.

Nine out of 10 respondents said cybersecurity risks had risen and nearly half confirmed the threat had increased substantially. Worryingly, companies highlighted concerns about their compliance department’s ability to respond to threats. Only 8% of compliance professionals considered themselves experts, while nearly half admitted to having only a basic or novice level of expertise.

Concern over compliance rules and regulations

Survey participants expressed concern about the implications of stringent regulatory scrutiny and enforcement (78%), and company digitization (71%), given the pressure with new notification targets.

From December, businesses affected by cyberattacks need to inform the Securities and Exchange Commission (SEC) no later than four business days after the event. Furthermore, new draft rules, set out by the US Cybersecurity and Infrastructure Security Agency, stipulate that critical infrastructure companies need to report significant threats within 72 hours and ransom payments with 24 hours.

Building in-house skills is a major priority for most in order to meet cybersecurity and regulatory compliance. Lack of staff was cited by 35% of respondents as a main element hampering cyber compliance – and seven out of 10 said they need to build their knowledge in this area.

Nevertheless, 90% believe their company’s cybersecurity compliance program was somewhat effective and only 2% described their’s as ineffective.

The challenge with geopolitics and AI

Disruptive geopolitical elements are impacting compliance, according to results. The Russia-Ukraine conflict was cited by 43% of respondents as affecting the ability of compliance professionals to do their job – particularly in larger companies (with a revenue of more than US$1 billion). In addition, 47% said global countermeasures, such as sanctions, have increased supply chain risks to compliance.

Economic tensions between the US and China, China-Taiwan, and the Gaza war were also cited by 39%, 19%, and 20% of respondents respectively, as having an impact on cybersecurity compliance.
Finally, the study suggests compliance departments are not sufficiently proficient in the challenges and benefits of artificial intelligence (AI). While AI is of interest to many, 46% of compliance professionals were not using it as part of future compliance planning – meaning only one-third were – and one in five had no plans to use AI in this way.

However, the industry remains open-minded. Findings showed that 41% of smaller businesses (with a revenue of less than US$50 million) had put AI to use, while more than half of companies in the US$1 billion revenue band, said they were considering using AI for compliance – to detect control deficiencies (45%) and for cybersecurity (44%).