Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection,” said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.
“The second key finding is, and we stumbled onto this by accident, is the relationship between compliance and data loss. How well (or poorly) a company does compliance, and how well (or poorly) they’re doing on data loss, we found a relationship between the two,” Hurley noted. “I expected a different distribution, but across the entire universe of companies, this distribution rings true,” Hurley said.
“The banking industry matches the entire population, they don’t do any better or any worse than the rest of the industries in the survey,” he explained.
Key Findings Most organizations are exposed to financial risk from data loss and theft Nine out of ten firms are not leveraging compliance and IT governance procedures that could help mitigate financial risk from lost or stolen data. Compliance leaders have the fewest business disruptions Firms with the best IT compliance results have the least business downtime from IT security events. Compliance laggards experience 17 or more disruptions a year from IT security events.
Such practices include: Implementing more of the appropriate IT controls Reducing control objectives, making it easier to communicate, measure, and report Establishing higher standards for performance objectives Encouraging a culture of operational excellence in IT Monitoring, measuring, and reporting controls against objectives at least once every two weeks Allocating more funds to control automation Even if not disclosed publicly, the likelihood that a data breach generates negative publicity is proportionally higher for companies with poor IT policy compliance programs.
All too often companies are implementing controls more from a compliance standpoint than from a due diligence standpoint.
http://www.bankinfosecurity.com/articles.php?art_id=507