Prime Factors Blog

The Average Cost of a Failed Data Security Audit

Posted by Pete Flagella on Nov 16, 2017 12:38:41 PM

Find me on:


If your organization is big enough to mandate a data security audit, it’s big enough to be a target for a variety of cybercriminals, hackers, identity thieves, or any other bad guys lurking around the Internet. Making sure your organization can pass a data security audit isn’t just a good idea—it’s a great way to prevent and deflect cyberattacks, saving you a great deal of time and money in averted data and public relations damage control.

Surprisingly, many organizations fail data security audits.  This can occur when the organization does not have adequate notice or is not properly prepared for an examination. On the flip side, just because an organization passes a data security audit does not necessarily mean they are completely prepared for attacks either. One thing is for sure, failing an audit is a sure sign there is a weak link inside the organization’s cybersecurity and encryption strategy.

One quarter of organizations have failed a data security audit at some point. Don’t be a statistic!

Organizations know when to expect a data security audit, often many months in advance. So, it might come as a surprise that 2% of all corporate and organizational data audits do not meet the PCI standard, failing their audit. An estimated 41% rely on “compensating controls,” which are measures to try and meet the standard outside of strict PCI DSS guidelines. Failing a data security audit can often have costs beyond the price tag of a second examination; failure can lead to increased costs in re-training staff and damage to the brand or reputation if word gets out to the public.

Many business leaders may not understand the importance of preparing for data audits.

While data breaches are becoming more costly and more frequent within the U.S. and worldwide, many business leaders may not understand the value and importance of preparing for a data security audit. They focus on the cost and expense of an audit but in nearly every case (unless a very small company undergoes an audit) a data security audit pays for itself many times over in reduced security costs and reputational benefits. 

We can all agree that most audits are costly. Industry estimates indicate that the average corporate data security audit is an estimated $225,000 – and that’s not including preparation, training, and other internal expenses. While increasing your budget for staff preparation and training is an upfront cost, it can save the life of the organization or the unforeseen costs associated with security breaches and, again, brand reputation. Recall the statistics found by Forrester and Verizon in their 2017 Data Breach report in a recent blog post:

  • 66% of organizations experience an average of 5 or more security breaches
  • 81% of breaches are due to weak, default, or stolen passwords
  • $400m+ of shareholder value was lost after Chipotle reported a breach
  • Stock prices drop 5% on the day a data breach is exposed
  • Customer turnover can average as much as 7% after a breach
  • Only 20% of CMO’s and 5% of IT practitioners say they would be concerned about a decline in their companies’ stock price

Preparing for data security audits has potential for saving money, but many IT security employees find themselves at odds with upper management when advocating for more investment in audit preparation. IT and digital security employees want to spend more; cost-cutting executives often wish to reduce or even eliminate cybersecurity training programs.  

In a recent survey, 54% of QSAs (Qualified Security Assessors) who are certified by the PCI Security Standards Council to conduct corporate audits say their clients (i.e., management) believe they are overpaying for data security audits. This thinking creates the illusion or perception that audit preparation is not a good investment, which may lead to many executives cutting down on budgets for overall cybersecurity efforts altogether, including encryption of vital data and other programs that prepare employees for an audit. It is important to remember that if a data security audit is failed, you will have to go through the entire process again, adding a hefty expense to the organization’s overall security costs. That would be truly be the definition of overpaying! 

In addition, it is important to remember the real reason for data security audits: making sure an organization can protect themselves from digital threats. If you do not pass a data security audit, your organization most likely is not prepared or equipped to deal with a full-scale cyberattack. With the average cost of a breach having recently grown from $3.8 to $4 million, smart business leaders know the cost of an effective security strategy is minimal compared to the alternative.

Companies that pass data audits are not immune to breaches.

As we briefly mentioned earlier, organizations that pass data security audits are not particularly safe from security hacks or data breaches. Target, Home Depot, and LinkedIn, among many other companies, had passed numerous security audits and still experienced breaches costing over $100 million each. Most well-informed executives understand that passing a data security audit should be seen as a basic requirement for an organization, rather than a definitive reason to assume you have an effective security strategy in place. 

Organizations with effective security strategies continually monitor and update their policies, strategies, and procedures to increase their effectiveness and awareness. They are prepared to defend themselves against new threats to sensitive data.

How can Prime Factors help?

To learn more about how encryption can protect your organization and help you meet PCI-DSS (Payment Card Industry Data Security Standards) compliance requirements, contact Prime Factors at 888-963-6358 or through our contact form for free consultation.  


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  



Topics: encryption, PCI Data Encryption, PCI Data Security Standards, PCI Compliance, PCI DSS