Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, July 20, 2007

Compliance ‘Laggards’ Face Most Financial Risk from Data Loss, Report Shows

The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided.  The report, “Why Compliance Pays—Reputations and Revenues at Risk,” finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year.

Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection,” said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.

“The second key finding is, and we stumbled onto this by accident, is the relationship between compliance and data loss.  How well (or poorly) a company does compliance, and how well (or poorly) they’re doing on data loss, we found a relationship between the two,” Hurley noted.  “I expected a different distribution, but across the entire universe of companies, this distribution rings true,” Hurley said.

“The banking industry matches the entire population, they don’t do any better or any worse than the rest of the industries in the survey,” he explained.

Key Findings Most organizations are exposed to financial risk from data loss and theft Nine out of ten firms are not leveraging compliance and IT governance procedures that could help mitigate financial risk from lost or stolen data.  Compliance leaders have the fewest business disruptions Firms with the best IT compliance results have the least business downtime from IT security events.  Compliance laggards experience 17 or more disruptions a year from IT security events.

Such practices include: Implementing more of the appropriate IT controls Reducing control objectives, making it easier to communicate, measure, and report Establishing higher standards for performance objectives Encouraging a culture of operational excellence in IT Monitoring, measuring, and reporting controls against objectives at least once every two weeks Allocating more funds to control automation Even if not disclosed publicly, the likelihood that a data breach generates negative publicity is proportionally higher for companies with poor IT policy compliance programs.

All too often companies are implementing controls more from a compliance standpoint than from a due diligence standpoint.

Posted on 07/20