An overwhelming percentage of US businesses still fall far short in their efforts to comply with industry data-handling regulations and reduce their likelihood of experiencing a serious leakage incident, according to new a survey.
In a report to be published by the IT Policy Compliance Group on July 18, the consortium of IT compliance and security experts concludes that some 90 percent of all businesses still do not have sufficient policies in place to meet data governance regulations and adequately limit the risk of a breach.
In the survey of 475 companies, a third of whom reported revenues over $1 billion last year, the industry group found that an overwhelming majority of the firms expect to deal with at least six business disruptions related to major data incidents per year along with five or more instances of information loss or theft.
While businesses continue to invest policy enforcement software and other technologies aimed at helping them meet data-handling regulations, said James Hurley, managing director of IT Policy Compliance Group, most are still struggling to fill all the gaps left in their systems that leave them open to potential incidents.
Hurley is also a senior research manager at security software maker Symantec, a member of the compliance policy think-tank, along with such organizations as the Computer Security Institute, Institute of Internal Auditors, ISACA, and IT Governance Institute.
Along with well-known federal guidelines, such as the Sarbanes-Oxley Act, many companies are having trouble responding to new statewide data protection measures crafted after the California 1386 bill, which requires businesses to make public notice of severe data incident, he said.
"When it comes to protecting data, a lot of organizations still find information all over the place that they may not even have control over," Hurley said. "People are finally discovering this is a difficult problem and that the controls they thought they have in place may not be adequate; that they need to re-think those controls and find out where the data inventory actually is because in most organizations, it's not under control."
In addition to gauging what percentage of companies remain at risk for a data breach, the survey also attempted to measure the impact of such an event on the average company. Based on its respondents' replies, businesses that are forced to report major incidents publicly can expect to experience an 8 percent loss of their stock price and an equal 8 percent of their customers.
Companies can also expect to report an 8 percent fall-off in their quarterly revenue along with additional costs for litigation, customer notification, and subsequent settlements averaging $100 per each record they lose.
In a nod to the increased challenge of meeting regulations and lowering data leakage within enterprises, the report concludes that larger companies are more likely to have incidents, based on its research. Organizations with less than 1,000 workers average roughly 8 percent in revenue and customer losses per event, whereas companies with over 100,000 employees can expect to lose 12 percent of their sales and clientele.
While some researchers have tried previously to divine the overall expense of having a major data breach, such as the one reported by retailer TJX Companies in early 2007, it has been hard to guess just how much such an event truly costs said Mike Money, associate director at Protiviti, an auditing services specialist that is also participating in the consortium.
"We finally have some data on this because of the state laws that have gone into effect, so hopefully some companies see this report and understand the extent of the problem," Money said. "People are finally starting to focus on the issue because they see the newspaper headlines every day, and until you've been through one of these types of events its hard to understand all the implications."
Unsurprisingly, the report also finds that companies that allocate the highest budgets for compliance automation technologies are faring better in their efforts than those who spend less on the issue.
In a shift from previous studies completed by IT Policy Compliance Group, however, it appears that most organizations are realizing that they need to adjust their budgets to account for the tools, Hurley said.
"The difference is that these state regulations have put this on the front of the radar screen, and they are realizing that they need to spend money to solve security problems that benefit compliance goals," said Hurley. "There's a clear linkage between having better controls and experiencing fewer data losses and business disruptions, as obvious as that may seem."