New Benchmark Research Report Released Today from IT Policy Compliance (ITPC): “Taking Action to Protect Sensitive Data”

Today IT Policy Compliance released a new benchmark research report, “Taking Action to Protect Sensitive Data.”
I had the great oppportunity to not only have a sneak peak at the report, but also to speak yesterday about the report with Jim Hurley, the Managing Director for IT Policy Compliance who authored the report, and Heriot Prentice, Director of Technology at The Institute of Internal Auditors (IIA) which is one of the sponsors for the IT Policy Compliance site.


The report is freely available to anyone visiting the site, but you must register with the site to obtain the report. Jim Hurley explained this registration is to help them determine the geographic distribution of the folks who use the site. Considering the sometimes vastly different data protection requirements throughout the world, this is a good idea to help them to provide information specific to the various locations. Jim said they will also use the registration information to occasionally poll the site users for feedback on the topics they would like to see addressed. He emphasized the registration information will no be shared with any other organizations, as they indicate in their privacy policy.
254 out of 300 companies invited to participate in the study participated; 201 qualified. The information was obtained thorugh an online questionnaire, with a +/- 6% degree of accuracy. The survey responses were not tied to any specific individuals or companies. Only the survey participant’s position and general information about the company, such as size and industry, was collected to maintain privacy.
36% of participating organizations employ fewer than 250 persons. 36% employ between 250 and 2,499 persons. 28% employ 2,500 or more. So, there was a nice, fairly even distribution between the different sizes of organizations.
What was interesting and surprising to me was that, according to Jim, the results and conclusions reported were basically the same throughout all sizes of organizations. I had thought there might be more problems within the SMBs.
This is very interesting and revealing benchmark report that information security and privacy leaders should find quite useful, and helpful, for their data safeguarding efforts. It not only reveals the data protection missteps companies commonly make, but it also provides recommendations that you should show your CEOs and CFOs to help you get the sponsorship and resources necessary to make your privacy and security programs better.
I really like the labels for the categories of companies ITPC used within the report; Industry laggards, Industry norm, Industry leaders. Who wants to be known as an industry laggard when it comes to safeguarding data? Hopefully not your CEO.
Let’s look at some of the excerpts and research findings.
• 12% of organizations are experiencing fewer than two losses of sensitive data each year
• 68% are experiencing six losses of sensitive data annually
• 20% are suffering from 22 or more sensitive data losses per year
Even with the almost daily news of security incidents and privacy breaches, these numbers demonstrate that a vast majority of incidents do not get reported. Imagine…20% of companies experience 22 or more sensitive data losses per year! Of course, there are many different ways in which data loss can occur; the less intriguing ways do not typically get reported in the news that often.

“The leading causes of sensitive data loss are due to three primary problems that include:
• User errors
• Violations of policy
‚Ä¢ Internet threats, attacks and hacks.”

Indeed, user errors are so common and lead to so much data loss, and yet too many business leaders still do not see the need for better controls or better education!
This also shows the importance of having good information security policies; policies are necessary not only for compliance and to establish a consistent framework of expectations for data protection, they also help to prevent the loss of sensitive data when they are followed.

“The primary conduits through which sensitive data are being lost include:
• PCs, laptops and mobile devices
• Email, instant messaging and other electronic channels
‚Ä¢ Applications and databases and the systems these operate on”

Yes, these are often reported in the press, but yet many times business leaders do nothing to prevent similar losses within their own organizations, willing to take the chance it will not happen to them. These findings show that yes, these three categories represent huge risks for all organizations, and they need to be appropriately addressed.

“Actions proven to mitigate and reduce data loss that are being taken by firms with the fewest
data losses, include:
• Measuring actual data losses
• Identifying the most critical sensitive data, including IT security and regulatory audit data
• Modifying policies and procedures
‚Ä¢ Making data protection everyone’s business
• Inventorying IT controls, especially those for PCs, laptops, mobile field devices, Email,Web,
Internet channels, applications and databases
• Employing many different IT controls to mitigate data loss, destruction, and theft
‚Ä¢ Weekly monitoring and reporting on the effectiveness of controls and procedures”

It is still disappointing that so many business leaders do not understand the need to identify their data, classify it, inventory it, and know where it resides. You cannot protect data if you do not know where it is. You cannot know if an incident has occurred if you do not know where it is.
So many of the reported incidents were discovered and reported by customers and others outside of organizations, and was not discovered by the organization that was responsible for and lost the data.
Something the organizations need badly, but few have, are good tools for maintaining an up-to-date inventory of their sensitive data. Do you have a tool you use to keep a comprehensive and accurate inventory?
The report makes a very good case for the need for ongoing, regularly and often (daily and weekly) monitoring for threats and vulnerabilities. Those organizations with the least monitoring had the most data loss.
In my discussion with Jim and Heriot, they indicated the biggest surprises to them that came out of the study were:
1. The amount of financial losses they tracked for publicly reported losses. A publicly reported incident had 8% loss of customers and revenue plus significant additional expenses, such as those to restore data, change applications, etc.
2. Unlike other findings, this research shows that IT controls are even more critical for protecting data than for general compliance and for general results for business impact. The companies doing the best to prevent data loss are those using many different preventive controls.
Yes, security cannot be achieved with just one or two actions or activities. Businesses must apply security in depth, in many different layers, using many different methods, to be effective.
3. Companies with few data losses evaluate their procedures against their policies on at least a weekly basis.
4. Organizations need to make sure controls are built in, not added after the fact, because then they are easier to monitor and use.
5. They thought there would have been more advances in IT controls than was revealed.
The research supports the notion that even if policies and procedures are in place, education through training and awareness must be done well and be ongoing to make the policies and procedures effective.
Many organizations assume it is expensive to secure data. However, as Heriot pointed out, this report shows it is much more expensive to respond to incidents than to prevent them.
While almost all the participating companies were U.S.-based, Heriot indicated there would probably be similar results in Europe and other parts of the world. So, this is a fairly good globally-representative report.
During our conversation Jim gave a great example of a company he worked with that implemented a very effective way to motivate employees to protect sensitive data. He said he had worked with a bank that had changed their information security policies over 1 year ago, and then rolled out their policies over a period of 6 months. This bank paid quarterly bonuses to their employees. Their new policies included a sanction that stipulated any department with access to customer data would not paid a bonus for that quarter if there were data losses or breaches in their area. A hotline for reporting data losses and breaches was also instituted. The breaches and data losses were first monitored monthly and then weekly. The bank now experiences almost no data losses because the employees are so motivated to ensure data security. Makes sense; who would want to lose their bonus?!
Page 19 of the report gives a nice high level roadmap organizations can use for their own data loss prevention plan.
There are many more details interesting and useful that I did not cover here.
Check out the report and use it for your own information security and privacy initiatives and support!

Tags: , , , , , , , , , ,

Leave a Reply