An overwhelming percentage of US businesses still fall far short in their efforts to comply with industry data-handling regulations and reduce their likelihood of experiencing a serious leakage incident, according to new a survey.
In a report to be published by the IT Policy Compliance Group on July 18, the consortium of IT compliance and security experts concludes that some 90 percent of all businesses still do not have sufficient policies in place to meet data governance regulations and adequately limit the risk of a breach.
In the survey of 475 companies, a third of whom reported revenues over $1 billion last year, the industry group found that an overwhelming majority of the firms expect to deal with at least six business disruptions related to major data incidents per year along with five or more instances of information loss or theft.
While businesses continue to invest policy enforcement software and other technologies aimed at helping them meet data-handling regulations, said James Hurley, managing director of IT Policy Compliance Group, most are still struggling to fill all the gaps left in their systems that leave them open to potential incidents.
Hurley is also a senior research manager at security software maker Symantec, a member of the compliance policy think-tank, along with such organizations as the Computer Security Institute, Institute of Internal Auditors, ISACA, and IT Governance Institute.
Along with well-known federal guidelines, such as the Sarbanes-Oxley Act, many companies are having trouble responding to new statewide data protection measures crafted after the California 1386 bill, which requires businesses to make public notice of severe data incident, he said.
"When it comes to protecting data, a lot of organizations still find information all over the place that they may not even have control over," Hurley said. "People are finally discovering this is a difficult problem and that the controls they thought they have in place may not be adequate; that they need to re-think those controls and find out where the data inventory actually is because in most organizations, it's not under control."
In addition to gauging what percentage of companies remain at risk for a data breach, the survey also attempted to measure the impact of such an event on the average company. Based on its respondents' replies, businesses that are forced to report major incidents publicly can expect to experience an 8 percent loss of their stock price and an equal 8 percent of their customers.
Companies can also expect to report an 8 percent fall-off in their quarterly revenue along with additional costs for litigation, customer notification, and subsequent settlements averaging $100 per each record they lose.
In a nod to the increased challenge of meeting regulations and lowering data leakage within enterprises, the report concludes that larger companies are more likely to have incidents, based on its research. Organizations with less than 1,000 workers average roughly 8 percent in revenue and customer losses per event, whereas companies with over 100,000 employees can expect to lose 12 percent of their sales and clientele.
While some researchers have tried previously to divine the overall expense of having a major data breach, such as the one reported by retailer TJX Companies in early 2007, it has been hard to guess just how much such an event truly costs said Mike Money, associate director at Protiviti, an auditing services specialist that is also participating in the consortium.
"We finally have some data on this because of the state laws that have gone into effect, so hopefully some companies see this report and understand the extent of the problem," Money said. "People are finally starting to focus on the issue because they see the newspaper headlines every day, and until you've been through one of these types of events its hard to understand all the implications."
Unsurprisingly, the report also finds that companies that allocate the highest budgets for compliance automation technologies are faring better in their efforts than those who spend less on the issue.
In a shift from previous studies completed by IT Policy Compliance Group, however, it appears that most organizations are realizing that they need to adjust their budgets to account for the tools, Hurley said.
"The difference is that these state regulations have put this on the front of the radar screen, and they are realizing that they need to spend money to solve security problems that benefit compliance goals," said Hurley. "There's a clear linkage between having better controls and experiencing fewer data losses and business disruptions, as obvious as that may seem."
- +
Strategies for Dealing With IT Complexity 24/12/2007 10:30:47
Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business. - +
9 Paths to Higher Performance 10/12/2007 14:09:23
When an organization brings together talented people in a creative, collaborative environment it fosters a culture of high performance, which in turn leads to superior business resultsLike high-achieving individuals, some organizations seem to have the Midas touch. Virtually every initiative they touch earns them gold and even those that fail never seem to cost them much of anything at all - +
Ticked Off at Tick the Box Mentality 04/02/2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
How to Get Real About Strategic Planning 04/02/2008 12:50:59
Everyone agrees that having a strategic plan for IT is a good thing but most CIOs approach the process with fear and loathing. In fact, the majority of CIOs (and the enterprises they work for) are faking it when it comes to strategic planning. Isn't it time we all got real?Oh, it must be nice to be the CIO of a FedEx or a GE or a Credit Suisse. Places where IT and the business are so tightly aligned you can barely tell the two apart. Where corporate leaders understand that IT is a strategic asset and support it as such - +
Process Trip 04/02/2008 13:07:03
Why Maritz Travel revamped key business processes — and how business and IT came together to make it workWhen Rich Phillips became COO OF Maritz Travel about two and-a-half years ago, he sat down and took a hard look at the big industry picture
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Vignette Announces 2008 Excellence Awards 2008-11-21 10:50:00+11
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 2008-11-20 17:34:00+11
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 2008-11-20 12:06:00+11
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 2008-11-20 12:04:00+11
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 2008-11-20 12:02:00+11
Choices in Storage Architecture for Oracle Environments
Database systems have always been at the core of the IT landscape. Not only is storage an increasingly large cost component of database investments, but storage architecture can significantly and directly impact the performance, availability, and recovery of data. Read on to explore the interaction between Oracle databases and EMC and Network Appliance storage architectures.
Buying Guides
Latest Products
Buying Guides
