[ISN] Data leaks equal eight percent drop in revenue

From: InfoSec News (alerts@private)
Date: Sun Mar 11 2007 - 23:11:20 PST


By Sandra Rossi Sydney
12 March, 2007

The IT Policy Compliance Group has released research showing 20% of 
enterprises suffer from more than 22 sensitive data losses per year.

The most sensitive losses include customer, financial, corporate, 
employee, and IT security data, which is either stolen, leaked, or 
destroyed, according to the research report entitled "Taking action to 
protect sensitive data."

The primary channels through which data is lost, in order of risk, 
includes PC's, laptops and mobile devices, email, instant messaging, 
applications and databases.

Organisations that experience publicly reported data breaches suffer an 
8% loss of revenue.

Compounding the revenue and customer losses are additional expenses 
averaging US$100 per lost or stolen customer record to notify customers 
and restore data, according to the compliance group which is made up of 
members from the Computer Security Institute, the Institute of Internal 
Auditors, Protiviti and Symantec.

The group conducts fact-based benchmark research to determine the best 
practices that result in improvements to IT compliance results for 

The Institute of Internal Auditors director of technology practices, 
Heriot Prentice, says preventative measures such as built-in IT controls 
are vital to ensuring that businesses protect the data they collect.

"It shouldn't be an afterthought, but rather considered up-front in the 
design of hardware and software redundancy to ensure the information is 
kept secure and supported throughout the data lifecycle. It's that 
simple. If you collect it, then protect it," Prentice says.

The benchmark results of the research show that firms with the fewest 
data losses are identifying sensitive core business data, mitigating 
user errors, policy violations and internet attacks, and monitoring many 
different IT controls and procedures weekly.

The first line of defense to protect data continues to be the people who 
are handling data. Businesses must develop and update policies for 
sensitive data protection, handling, retention, and destruction that 
include accountability programs, the report says.

Computer Security Institute director, Robert Richardson, says while some 
results give cause for alarm, there's also the strong suggestion that 
some organisations have managed to provide responsible oversight of 
their data.

"These are organisations we want to applaud and to emulate," Richardson 

Organisations with the fewest losses are spending more time monitoring 
policy compliance and are employing multiple IT controls to reduce the 
loss of sensitive data.

Best-in-class organisations are monitoring and measuring controls and 
procedures to protect sensitive data once a week, while most firms are 
conducting such measurements only about once every 176 days.

In addition, these organisations classify IT security and regulatory 
data as sensitive and take the necessary steps to secure it.

IT Compliance Group managing director, Jim Hurley, says failing to 
protect IT security and regulatory audit data is like a bank giving away 
the combination to the vault.

"Instead of securities and cash, these firms are putting sensitive data, 
customers, revenues and business futures entirely at risk," he says.

The report provides a number of recommendations to improve protection 
from increasing the frequency of audits to implementing technology to 
mitigate user errors and policy violations.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Sun Mar 11 2007 - 23:31:17 PST