Compliance 'Laggards' Face Most Financial Risk from Data Loss, Report Shows

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided. The report, "Why Compliance Pays - Reputations and Revenues at Risk," finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year. Those firms with the best IT compliance results have, at most, two disruptions annually.

"There are two real key findings from this ongoing report for financial institutions. We are finally able to quantify publicly reported data losses, (this data was also checked from historical databases as well). Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection," said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.

"The second key finding is, and we stumbled onto this by accident, is the relationship between compliance and data loss. How well (or poorly) a company does compliance, and how well (or poorly) they're doing on data loss, we found a relationship between the two," Hurley noted.

"I expected a normal distribution, a normal spread like what we see in the rest of the world of compliance. But it's a one to one mapping between the two. At first I thought the numbers were skewed, but we checked them and they are right. I expected a different distribution, but across the entire universe of companies, this distribution rings true," Hurley said. The companies that are doing well in compliance efforts are suffering far fewer data loss events and base business disruptions.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Notably, Hurley said, financial and accounting service industry sees more "compliance laggards." This number is higher by about 5 percent of the rest of population at large. "The banking industry matches the entire population, they don't do any better or any worse than the rest of the industries in the survey," he explained.

Key Findings

Most organizations are exposed to financial risk from data loss and theft

Nine out of ten firms are not leveraging compliance and IT governance procedures that could help mitigate financial risk from lost or stolen data. Benchmark results include:

• Lagging organizations”2 out of 10”have the most to gain.
• Normative organizations”7 out of 10”can reduce substantial financial risk.
• Leading organizations”only 1 out of 10”are well positioned.

Compliance leaders have the fewest business disruptions

Firms with the best IT compliance results have the least business downtime from IT security events. Findings show:

• Compliance leaders have only two or fewer disruptions annually from IT security events.
• Compliance laggards experience 17 or more disruptions a year from IT security events.
• Compliance leaders have the least data loss and theft

Firms with the best IT compliance report the fewest data losses. Results include:

• Compliance leaders have two or fewer data losses or thefts of sensitive data annually.
• Compliance laggards have 22 or more data losses per year.

Probability of a financial loss: Not if, but when

Financial loss will occur with data loss and theft. The question is when and by how much. The probability of making the front page of the paper for a data loss or theft is:

• Once every three years or sooner for compliance laggards
• One every 42 years or later for compliance leaders

Financial risk and loss are significant enough to manage

The expected financial risk for publicly disclosed data loss and theft is matched by limited actual experience. Financial risks include:

• An 8 percent decline in the market value of a share of stock for publicly traded firms
• An 8 percent loss of customers
• A temporary decline in revenue of 8 percent
• Additional costs for litigation, notification, settlements, cleanup, restoration, and improvements averaging $100 per lost customer record

Returns are high

Due to high financial risk and relatively low spending on compliance and data protection, returns on spending for compliance and data protection are high:

• Start at about 100 percent on the low end
• Easily exceed 1,000 percent for higher returns

Best practices to improve results: Follow the leaders