Compliance â€˜Laggardsâ€™ Face Most Financial Risk from Data Loss, Report Shows
The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided. The report, â€œWhy Compliance Pays â€“ Reputations and Revenues at Risk,â€ finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year. Those firms with the best IT compliance results have, at most, two disruptions annually.
â€œThere are two real key findings from this ongoing report for financial institutions. We are finally able to quantify publicly reported data losses, (this data was also checked from historical databases as well). Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection,â€ said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.
â€œThe second key finding is, and we stumbled onto this by accident, is the relationship between compliance and data loss. How well (or poorly) a company does compliance, and how well (or poorly) theyâ€™re doing on data loss, we found a relationship between the two,â€ Hurley noted.
â€œI expected a normal distribution, a normal spread like what we see in the rest of the world of compliance. But itâ€™s a one to one mapping between the two. At first I thought the numbers were skewed, but we checked them and they are right. I expected a different distribution, but across the entire universe of companies, this distribution rings true,â€ Hurley said. The companies that are doing well in compliance efforts are suffering far fewer data loss events and base business disruptions.
Notably, Hurley said, financial and accounting service industry sees more â€œcompliance laggards.â€ This number is higher by about 5 percent of the rest of population at large. â€œThe banking industry matches the entire population, they donâ€™t do any better or any worse than the rest of the industries in the survey,â€ he explained.
Most organizations are exposed to financial risk from data loss and theft
Nine out of ten firms are not leveraging compliance and IT governance procedures that could help mitigate financial risk from lost or stolen data. Benchmark results include:
- Lagging organizationsâ€”2 out of 10â€”have the most to gain.
- Normative organizationsâ€”7 out of 10â€”can reduce substantial financial risk.
- Leading organizationsâ€”only 1 out of 10â€”are well positioned.
Compliance leaders have the fewest business disruptions
Firms with the best IT compliance results have the least business downtime from IT security events. Findings show:
- Compliance leaders have only two or fewer disruptions annually from IT security events.
- Compliance laggards experience 17 or more disruptions a year from IT security events.
- Compliance leaders have the least data loss and theft
Firms with the best IT compliance report the fewest data losses. Results include:
- Compliance leaders have two or fewer data losses or thefts of sensitive data annually.
- Compliance laggards have 22 or more data losses per year.
Probability of a financial loss: Not if, but when
Financial loss will occur with data loss and theft. The question is when and by how much. The probability of making the front page of the paper for a data loss or theft is:
- Once every three years or sooner for compliance laggards
- One every 42 years or later for compliance leaders
Financial risk and loss are significant enough to manage
The expected financial risk for publicly disclosed data loss and theft is matched by limited actual experience. Financial risks include:
- An 8 percent decline in the market value of a share of stock for publicly traded firms
- An 8 percent loss of customers
- A temporary decline in revenue of 8 percent
- Additional costs for litigation, notification, settlements, cleanup, restoration, and improvements averaging $100 per lost customer record
Returns are high
Due to high financial risk and relatively low spending on compliance and data protection, returns on spending for compliance and data protection are high:
- Start at about 100 percent on the low end
- Easily exceed 1,000 percent for higher returns
Best practices to improve results: Follow the leaders
The benchmarks identify practices being implemented by leaders that dramatically improve IT compliance results, markedly reduce business downtime from IT security events, substantially reduce incidents of data loss and theft, and reposition these firms for lower financial risk. Such practices include:
- Implementing more of the appropriate IT controls
- Reducing control objectives, making it easier to communicate, measure, and report
- Establishing higher standards for performance objectives
- Encouraging a culture of operational excellence in IT
- Monitoring, measuring, and reporting controls against objectives at least once every two weeks
- Allocating more funds to control automation
Even if not disclosed publicly, the likelihood that a data breach generates negative publicity is proportionally higher for companies with poor IT policy compliance programs. The report finds the probability of making headlines for a data loss or theft is once every three years for compliance laggards, but only once every 42 years for compliance leaders.
â€œThe report itself validates what companies have been striving to accomplish. All too often companies are implementing controls more from a compliance standpoint than from a due diligence standpoint. But taking the results of this report, it validates the justification that companies are looking for when they spend money on compliance controls,â€ said Rocco Grillo, managing director at Protiviti, a technology risk consultancy.
â€œWhen you can bring this type of validated data to the table, this is the type of data that your executives are looking for. Most IT organizations already know where their vulnerabilities exist, but itâ€™s the cost of the countermeasures that is the struggle. By having data like this to substantiate it, it establishes a business case for spending,â€ Grillo concluded.
This new research from the IT Policy Compliance Group also includes several recommendations for developing and implementing more effective IT policy compliance controls, and is available at www.itpolicycompliance.com.