The latest report from the IT Policy Compliance Group, entitled Why Compliance Pays: Reputations and Revenues at Risk, has found that nine in 10 firms are exposed to financial risk from data loss and theft. These risks, which can cost organisations customers, reduced revenues and even a decline in share price, could be significantly reduced by implementing core procedural and technical controls and monitoring those controls at least once every two weeks.
Among larger enterprises, the probability of a publicly disclosed data loss is likely once every three years if the firm is currently operating as a ‘laggard’. In contrast, organisations with the best results have delayed the probability of data loss to once in every 42 years. The benchmarks show that the organisations excelling at compliance are the same firms with the least data losses and the least business disruptions from IT downtime.
The results surprised the researchers: “I was surprised as this was first time ever that I have seen a direct linkage between effective control governance and what I would call system resiliency,” says Mike Money, associate director at Protiviti. “The fact that controls can make a system more resilient has never been in a study before and that is a very favourable result for increasing controls. Not any one particular control is effective in any area, but a web of controls has a significant effective. … Predicting what impact a particular control has is difficult but increasing controls in several areas will have a favourable impact.”
“One of the most interesting and surprising findings is the correlation between controls and governance and compliance and less data losses and less data disruption, or better system resiliency,” says Jim Hurley, MD of the IT Policy Compliance Group and senior research manager at Symantec. “The other thing that we found is that the spending has been so low in this area, and the expectation of financial losses so predictable and the amount is so high, that though reasonable people can agree to disagree over some of the figures that might be in there, what they really can’t disagree about is the orders of magnitude that are in there. It is very clear that it makes an awful lot of sense to improve controls and governance programmes in order to delay or reduce or mitigate the likelihood of these data losses occurring.”
According to Attrition.org’s Data Loss Database, the US has averaged almost 280 publicly exposed incidents of data theft or loss annually over the last two years, which has had significant business impact. According to the report, benchmarks show organisations experiencing a publicly reported data loss expect to see an 8% decline in customers and revenue, an 8% decline in the price per share for publicly traded firms, and additional expenses averaging $100 per lost customer record for firms experiencing publicly disclosed data losses and thefts.
Successful firms, those with the fewest data losses and thefts, are driving operational excellence in IT by improving compliance results, especially in IT general controls and IT security controls and procedures. More notably, the benchmarks show the least data loss among firms that are monitoring and measuring controls against objectives frequently, at least once every two weeks.
The report identifies practices that will assist businesses with improving IT compliance results, reduce business downtime, and reduce data loss and theft, including: implementing more and appropriate IT controls; reducing control objectives, making it easier to communicate, measure and report against; establishing higher standards for performance objectives; encouraging a culture of operational excellence in IT; conducting monitoring, measurement and reporting of controls against objectives at least once every two weeks, and allocating more spend to controls automation.