By Sandra Rossi Sydney
12 March, 2007
The IT Policy Compliance Group has released research showing 20% of
enterprises suffer from more than 22 sensitive data losses per year.
The most sensitive losses include customer, financial, corporate,
employee, and IT security data, which is either stolen, leaked, or
destroyed, according to the research report entitled "Taking action to
protect sensitive data."
The primary channels through which data is lost, in order of risk,
includes PC's, laptops and mobile devices, email, instant messaging,
applications and databases.
Organisations that experience publicly reported data breaches suffer an
8% loss of revenue.
Compounding the revenue and customer losses are additional expenses
averaging US$100 per lost or stolen customer record to notify customers
and restore data, according to the compliance group which is made up of
members from the Computer Security Institute, the Institute of Internal
Auditors, Protiviti and Symantec.
The group conducts fact-based benchmark research to determine the best
practices that result in improvements to IT compliance results for
The Institute of Internal Auditors director of technology practices,
Heriot Prentice, says preventative measures such as built-in IT controls
are vital to ensuring that businesses protect the data they collect.
"It shouldn't be an afterthought, but rather considered up-front in the
design of hardware and software redundancy to ensure the information is
kept secure and supported throughout the data lifecycle. It's that
simple. If you collect it, then protect it," Prentice says.
The benchmark results of the research show that firms with the fewest
data losses are identifying sensitive core business data, mitigating
user errors, policy violations and internet attacks, and monitoring many
different IT controls and procedures weekly.
The first line of defense to protect data continues to be the people who
are handling data. Businesses must develop and update policies for
sensitive data protection, handling, retention, and destruction that
include accountability programs, the report says.
Computer Security Institute director, Robert Richardson, says while some
results give cause for alarm, there's also the strong suggestion that
some organisations have managed to provide responsible oversight of
"These are organisations we want to applaud and to emulate," Richardson
Organisations with the fewest losses are spending more time monitoring
policy compliance and are employing multiple IT controls to reduce the
loss of sensitive data.
Best-in-class organisations are monitoring and measuring controls and
procedures to protect sensitive data once a week, while most firms are
conducting such measurements only about once every 176 days.
In addition, these organisations classify IT security and regulatory
data as sensitive and take the necessary steps to secure it.
IT Compliance Group managing director, Jim Hurley, says failing to
protect IT security and regulatory audit data is like a bank giving away
the combination to the vault.
"Instead of securities and cash, these firms are putting sensitive data,
customers, revenues and business futures entirely at risk," he says.
The report provides a number of recommendations to improve protection
from increasing the frequency of audits to implementing technology to
mitigate user errors and policy violations.
Visit the InfoSec News Security Bookstore