Академический Документы
Профессиональный Документы
Культура Документы
February 2007
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Implications and analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Recommendations for action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Unconfirmed reports of sensitive data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Data loss results: confirmed losses of sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Which data are most sensitive? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Leading causes of data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
The primary channels for sensitive data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Responding to the challenge of protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . .15
Strategic actions to protect sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Better results: more frequent monitoring and measurement . . . . . . . . . . . . . . . . . . . . . .18
Time allocated to protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
IT controls and sensitive data losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Lost data: lost revenues, lost customers and additional expenses . . . . . . . . . . . . . . . . . .22
Benefits of protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Recommendations for action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Author profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Research methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Data losses in the U.S. since ChoicePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
About IT Policy Compliance Group sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Executive summary
Key findings
Extent of the data loss problem
When it comes to data losses, not all organizations are alike: some are experiencing only a few
while others are suffering from many losses of sensitive data. The benchmark shows that:
• About one in ten—twelve percent—organizations are experiencing fewer than two losses
of sensitive data each year
• The vast majority of organizations, almost seven in ten—68 percent—are experiencing
six losses of sensitive data annually
• A fairly sizable two in ten organizations—twenty percent—are suffering from 22 or more
sensitive data losses per year
The type of data being lost, stolen or destroyed
The most sensitive losses are for data that is stolen, leaked or destroyed and includes:
• Customer data
• Financial data
• Corporate data
• Employee data
• IT security data
Leading causes of data loss
The leading causes of sensitive data loss are due to three primary problems that include:
• User errors
• Violations of policy
• Internet threats, attacks and hacks.
Primary channels through which data are being lost
The primary conduits through which sensitive data are being lost include:
• PCs, laptops and mobile devices
• Email, instant messaging and other electronic channels
• Applications and databases and the systems these operate on
Financial impacts of data loss
The average financial losses and costs being experienced by organizations from stolen and
lost data that are publicly reported include:
• A loss of customers amounting to eight (8) percent
• A commensurate loss of revenue amounting to eight (8) percent
• $100 in expenses per customer record to notify customers and restore data that has been lost,
stolen or destroyed
While best-in-class organizations are monitoring and measuring controls and procedures
to protect sensitive data once a week, most firms are conducting such measurements only
once in a blue moon: at best, once every 176 days. Furthermore, all other organizations
are either ignoring the use of IT controls to protect sensitive data or are selectively
employing only a few. In this day of instantaneous electronic information exchange and
24x7x365 Internet-connectivity, infrequent monitoring and under utilized IT controls
will likely contribute to more instances of sensitive data loss.
Also unique among the leading firms—those with the lowest data losses—are two types
of non-core business data that are considered to be among their most sensitive data:
• IT security data
• Regulatory audit and reporting data
Sensitive data
• Identify the sensitive core business data of your organization
• Include IT security and regulatory audit data as sensitive data that must be protected
Root causes
Resolve to mitigate the biggest causes of Whether an organization has only
data loss: a few losses or more than 20 losses per
• User errors year, the pipelines for data loss are
nearly identical:
• Violations of policy
• Data residing on PCs, laptops and
• Internet threats, attacks and hacks
other mobile devices
Technologies
Place bets on multiple IT control baskets to protect data, especially the following:
• Auditing, measurement and reporting tools
• Network access controls
• Application, server and PC access controls
• Internet threat controls
• Data protection and cryptography tools
If these are in place, aim to include additional IT controls, including data archive and
restore systems; IT asset tracking and reporting tools; IT configuration management
tools; data leakage, audit and reporting tools; IT change management tools; and role-
based access controls.
Organizational strategy
The first line of defense to protect data Failing to protect IT security and
include all the people who are handling regulatory audit data is like a bank
data: this includes data outsourced and giving away the combination to
managed by business partners, not just
the vault. And this is exactly what
employees Review and update policies
most firms are doing. Instead
for sensitive data protection, handling,
retention and destruction. Conduct of securities and cash, these firms
training and implement accountability are putting sensitive data,
programs that reward good behavior customers, revenues and business
and compliance with policies. futures entirely at risk.
Key findings
It’s hard to imagine what businesses would do without technology. With most commercial
interactions (and transactions) riding on multiple internal and external electronic
environments—and ever-mounting mandates for demonstrating accountability—
organizations have more incentive than ever to keep core business data safe and
secure. What are companies doing to protect their data, and are these efforts successful?
This Benchmark report provides a clearer understanding of the state of data protection
across many different industries, and compares the characteristics, strategic and tactical
actions for improving results. Due to the under-reported nature of the issue—no organ-
ization wants to be featured on the front-page of the business press for losing customer
data—the findings and numbers are enlightening, compelling, and hopefully will act
as a diagnostic framework for taking action that will help to reduce data loss, customer
loss, revenue loss and hence improve results.
© 2007 IT Policy Compliance Group 5
10705114_Hurley5_rr_v2.qxd 2/27/07 12:24 PM Page 6
Industry laggards:
20%
Performance Confirmed annual losses
classification of sensitive data
Industry laggards 22
Industry norm 6
Industry leaders:
12%
Industry leaders Less than 2 Industry norm:
68%
80%
70%
60%
Percentage of organizations
50%
40%
30%
20%
10%
0%
1 2 3 4 5 6 7 8 9 10 11 12
100%
80%
Percentage of organizations
60%
40%
20%
0%
1 2 3 4 5 6 7 8 9 10 11 12
Customer data
Corporate data
Employee data
Financial data
Sales data
Design data
Manufacturing data
IT security data
Lagging organizations
Industry norm
Leading organizations
By comparison, the only data that is as highly valued as sensitive by lagging organizations
is financial data. Customer and corporate data are valued slightly above the mean.
Otherwise, no other forms of data are considered sensitive by firms with the most
data losses.
1 in 2
1 in 3
1 in 4
1 in 5
1 in 10
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Although human error accounts for the vast majority of the causes of sensitive data
loss, thereafter, the causes of data loss—each of which account for between two in
ten to one in ten instances—are more evenly distributed and less focused.
Among the least frequent cause of data loss are improperly disposed-of computing
equipment, unauthorized access to IT resources and insufficient controls on IT procedures,
each of which account for less than one in every ten instances of sensitive data loss.
Causes of data loss varies by performance results
Although the primary cause of data loss for most organizations is the interaction
of people with computing systems, the specific causes of loss vary by performance
results. Among organizations with the highest loss rates, employee manipulation and
malfeasance, insufficient auditing and monitoring along with insufficient IT controls
are among the top five leading causes of data loss. Among firms with the fewest losses,
employee manipulation and malfeasance as well as inappropriate use of IT resources
creep into the top five causes for data loss. Lastly, lost or stolen laptops, along with
insufficient controls in IT and on business procedures are among the top five causes
of data loss among the vast majority of firms (Table 1).
70%
60%
50%
Percentage of organizations
40%
30%
20%
10%
0%
1 2 3 4 5 6 7 8
The only significant difference in the Benchmark is for data that has been outsourced
or off-shored. Thirty-one percent of lagging organizations and 29 percent of leading
organizations are finding that outsourced or off-shored data is a primary avenue for
data loss, while only eight percent of firms operating at the norm experienced losses
of sensitive data that had been outsourced or off-shored.
Having established policies and procedures along with a shared sense of ownership
to solve the problem of data loss, the leaders are taking the next steps to reduce and
mitigate data losses.
In contrast, lagging organizations are below mean for seven of the eight strategic
actions, while firms operating at the norm for protecting data are below mean for three
of the eight strategic actions. What is particularly telling is the one action with the most
divergence between the leaders and all other organizations: an increase in auditing,
measurement and auditing.
Blind monitoring of controls on a more frequent basis, by itself, is unlikely to stem data
losses. However, the Benchmark findings are clear: 100 percent of the leading firms—
those with the fewest losses of sensitive data—are monitoring controls and procedures
for sensitive data on at least a weekly basis. This single action, weekly monitoring of
controls and procedures, is subscribed to by all leading firms, and is the strategic
actions that is making a significant contribution to retarding and eliminating the loss of
sensitive data.
By comparison, nearly all other firms (97 percent) are monitoring the effectiveness of
controls and procedures on a substantially less frequent basis, ranging from monthly
to annually. In fact, the average time between measurements for most organizations
are once every 176 days while the minority lagging institutions are even more lax,
measuring once every 205 days.
20%
Leading
Less than 2 Once every
10% data losses 4 days
annually
0%
1 2 3 4 5
1. Once annually
Industry lagging
2. Once per quarter
3. Once per month Industry norm
4. Once per week Industry leading
5. Once per day
The Benchmark findings show that firms spending more time on the most important
strategic actions are rewarded with lower confirmed data losses. In summary, the
actions being taken by industry leading organizations that are resulting in the low loss
rates include:
• Monitoring and measuring controls and procedures weekly
• Delivering training to employees and contractors
• Modifying IT security controls and procedures
• Modifying policies standards and procedures
• Holding employees accountable to policies and standards
After these five, a secondary group of six IT controls is being utilized by firms with the
lowest data losses. These controls include: data archive and restore systems; IT asset
tracking and reporting tools; IT configuration management tools; data leakage, audit
and reporting tools; IT change management tools; and role-based access controls.
What is noticeable about organizations with the lowest data losses is the widespread
use of many different IT controls to protect sensitive data. What is even more interesting
is the almost continuous measurement of controls and procedures. Instead of assuming
the IT controls are working to protect data, the leaders are placing many different IT
controls in the environment, and are monitoring and measuring weekly.
Clearly, data is money and the business and financial impact of data theft and loss are real.
50%
40%
Percentage of organizations
30%
20%
10%
0%
1 2 3 4 5 6 7 8 9 10
Ranked lower and by fewer organizations are a range of benefits, including: less concern
about data leakage and public news reports; reductions and/or avoidance of litigation
and associated costs; less concern about external audit findings; improvements to
customer loyalty and retention; continued business with major customers and trading
partners; and less concern about competitive access to sensitive data. Ranked lowest
and by the fewest number of organizations are reduced insurance costs and improve-
ments to shareholder value.
Based on the benefits being realized and the results being achieved by leading organi-
zations, it simply makes sound business sense to take action to protect sensitive data.
It costs much less to protect sensitive data than it does to replace lost customers and
repair damage to the image of the organization and its brand equity, in most cases an
irreplaceable asset.
If your organization does not know how much sensitive data is being lost, now is the
time to find out, before it becomes public knowledge. After determining how much and
what type of data is being lost, focus on what it will take to protect the most sensitive
data, not all data. Do not forget to place IT security data and regulatory audit data at
the top of the list: one provides the keys to the vault, the other a record of what was
removed and who removed it.
Author profile
Jim Hurley
Managing director, Research, IT Policy Compliance Group
Research director, Symantec
Jim Hurley is managing director of the IT Policy Compliance Group and a director of
research with Symantec Corporation. In his role, Jim is responsible for working with
members to drive, field, and deliver benchmarks and reports that focus on enabling
organizations to improve their IT policy compliance results. Jim comes to IT Policy
Compliance Group and Symantec after more than 10 years as the vice president of
research with Aberdeen Group, an independent research, analysis, and consulting
organization. His 25 years in scientific, healthcare, IT and technology-related industries
have included multiple roles including management, operations, sales, marketing,
customer service, research, design, development, and manufacturing.
Research methodology
This IT Policy Compliance Group Benchmark covering data losses and actions to improve
results was conducted with 201 organizations between August and October of 2006.
The margin of error is plus or minus six percent. The majority of participating organiza-
tions (90 percent) are located in the United States. The other ten percent are located
around the globe, in Germany, the United Kingdom, Australia, Brazil, Canada, the United
Arab Emirates, and Japan and elsewhere. The companion benchmark covering financial
losses from data losses we conducted with another 254 organizations in December
of 2006. Demographic details of this companion benchmark will be included in an
upcoming report.
Size of organizations
Thirty-five percent of the organizations participating in this Benchmark have annual
revenues, assets under management or budgets of less than $50 million. Another 35
percent have annual revenues, assets under management or budgets that are between
$50 million and $499 million. The remaining 30 percent have annual revenues, assets
under management or budgets that are $500 million or more.
Industries represented
A wide range of industries participated in the benchmark including aerospace;
automotive; banking; chemicals; computer equipment and peripherals; computer
software and services; construction, architecture and engineering services; consumer
electronics; consumer packaged goods; distribution; education; financial and accounting
services; general business and repair services; government—public administration;
government—defense and intelligence; health, medical and dental services; insurance;
law enforcement; legal services; management, scientific and consulting services;
manufacturing; medical devices; metals and metal products; mining, oil and gas;
publishing, media and entertainment; real estate, rental and leasing services; retail
trade; transportation and warehousing; travel, accommodation and hospitality
services; utilities; and wholesale trade. Manufacturing, along with health, medical
and dental services each account for 12 percent of participating organizations. All
other industries represent less than ten percent of participating organizations.
Number of employees
Thirty-six percent of participating organizations employ fewer than 250 persons.
Thirty-six percent employ between 250 and 2,499 persons. The remaining 28 percent
employ 2,500 or more.
Participants
Twenty-six percent of participants in this Benchmark are senior managers (CEO, CFO,
CIO, etc), 11 percent Vice Presidents, 36 percent managers or directors, 23 percent staff,
and four percent internal consultants. Thirty-three percent of the participants work in
finance and internal controls, another 28 percent work in IT, 10 percent are employed
in customer service, and the remaining 29 percent are distributed across a wide range
of job functions, including legal, compliance, sales, marketing, design, development,
manufacturing, procurement, and logistics.
Appendix
Data losses in the U.S. since ChoicePoint
Since the public announcement of sensitive data losses at ChoicePoint, February 15,
2005 to January 19, 2007, the Privacy Rights Clearinghouse (PRC) has recorded 453
separate incidents of data loss involving sensitive, personally identifiable information—
about one publicly reported data loss event every two days. According to the PRC, more
than 100 million records of personally identifiable data were exposed, stolen or lost
during this period.
The information collected by the PRC has been categorized by the date that a data loss
was made public, the name of the organization involved, and the type and number of
records involved. The IT Policy Compliance Group has not verified whether the data
compiled by the PRC is accurate and complete.
What is clear from the PRC information is that almost every industry has experienced
sensitive data loss, with some industries more affected than others. Moreover, most
of the institutions listed are widely known. The cause for the data breaches in these
453 incidents, according to the PRC, ranges widely, from computer hacking to stolen
laptops and misplaced archive tapes, among other causes. The data from the PRC does
not include unreported data breaches. It appears that much of the sensitive data losses
cataloged by the PRC involve employee, customer, and financial data.
What is not clear is whether the data losses also involve corporate, business partner,
sales, sourcing, logistics, manufacturing, design, audit, and IT security data.
The PRC information covering data breaches since ChoicePoint can be reviewed at its
website: http://www.privacyrights.org/ar/ChronDataBreaches.htm.
www.itpolicycompliance.com
February 2007
The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but are not
guaranteed. Research publications reflect current conditions that are subject to change without notice.
Copyright © 2007 IT Policy Compliance Group. All rights reserved. 02/07 10705114