Upload
kas-perle
View
217
Download
0
Embed Size (px)
Citation preview
8/8/2019 Taking Action to Protect Sensitive Data
1/32
Taking Action to ProtectSensitive Data
Benchmark Research Report
February 2007
IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
2/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group i
ContentsExecutive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Implications and analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Recommendations for action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Unconfirmed reports of sensitive data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Data loss results: confirmed losses of sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Which data are most sensitive? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Leading causes of data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
The primary channels for sensitive data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Responding to the challenge of protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . .15
Strategic actions to protect sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Better results: more frequent monitoring and measurement . . . . . . . . . . . . . . . . . . . . . .18
Time allocated to protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
IT controls and sensitive data losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Lost data: lost revenues, lost customers and additional expenses . . . . . . . . . . . . . . . . . .22
Benefits of protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Recommendations for action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Author profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Research methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Data losses in the U.S. since ChoicePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
About IT Policy Compliance Group sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
8/8/2019 Taking Action to Protect Sensitive Data
3/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 1
Executive summary
Key findings
Extent of the data loss problem
When it comes to data losses, not all organizations are alike: some are experiencing only a few while others are suffering from many losses of sensitive data. The benchmark shows that:
About one in tentwelve percentorganizations are experiencing fewer than two lossesof sensitive data each year
The vast majority of organizations,almost seven in ten68 percentare experiencingsix losses of sensitive data annually
A fairly sizable two in ten organizationstwenty percentare suffering from 22 or more
sensitive data losses per yearThe type of data being lost, stolen or destroyed
The most sensitive losses are for data that is stolen, leaked or destroyed and includes:
Customer data
Financial data
Corporate data
Employee data
IT security data
Leading causes of data loss
The leading causes of sensitive data loss are due to three primary problems that include:
User errors Violations of policy
Internet threats, attacks and hacks.
Primary channels through which data are being lost
The primary conduits through which sensitive data are being lost include:
PCs, laptops and mobile devices
Email, instant messaging and other electronic channels
Applications and databases and the systems these operate on
Financial impacts of data loss
The average financial losses and costs being experienced by organizations from stolen andlost data that are publicly reported include:
A loss of customers amounting to eight (8) percent
A commensurate loss of revenue amounting to eight (8) percent
$100 in expenses per customer record to notify customers and restore data that has been lost,stolen or destroyed
8/8/2019 Taking Action to Protect Sensitive Data
4/32
Taking Action to Protect Sensitive Data
2 2007 IT Policy Compliance Group
Key findings (continued)
Taking action to reduce financial and sensitive data losses
Actions proven to mitigate and reduce data loss that are being taken by firms with the fewestdata losses, include:
Measuring actual data losses
Identifying the most critical sensitive data, including IT security and regulatory audit data
Modifying policies and procedures
Making data protection everyones business
Inventorying IT controls, especially those for PCs, laptops, mobile field devices, Email,Web,Internet channels,applications and databases
Employing many different IT controls to mitigate data loss, destruction,and theft Weekly monitoring and reporting on the effectiveness of controls and procedures
Use of multiple IT controls
Instead of being fixated on one IT control, such as cryptography to protect data on laptops,best-in-class organizations are employing multiple technologies, including: audit, measurementand reporting tools, network access controls, application, server and PC access controls, Internetthreat controls, data protection and cryptography tools, and data archive and restore systemsamong others.
Organizations with higher losses of sensitive data are either employing a limited selection of ITcontrols or are not using IT controls to help reduce sensitive data loss.
The business benefits of protecting sensitive data
The primary business benefits of protecting sensitive data include:
Assurance of integrity for the company brand and image
Lowered concerns about electronic theft
Improvements in customer loyalty and retention
Fewer customer defections
Lower revenue losses
Lower expenses to notify customers and restore data
8/8/2019 Taking Action to Protect Sensitive Data
5/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 3
Implications and analysisOnly 12 percent of organizationsabout one in tenare experiencing fewer than threelosses of sensitive data in the past year. For all other institutionsalmost 90 percentdata loss rates are higher.
The leading organizationsthose with the fewest losses of sensitive dataare spending more time, employing multiple IT controls, and monitoring compliance with theirpolicies weekly, to significantly reduce the loss of sensitive data. In fact, leading organizations are uniquely:
Employing multiple IT controls to help protect sensitive data
Monitoring and measuring controls and procedures to protect data once every four days
While best-in-class organizations are monitoring and measuring controls and proceduresto protect sensitive data once a week, most firms are conducting such measurements only once in a blue moon: at best, once every 176 days. Furthermore, all other organizationsare either ignoring the use of IT controls to protect sensitive data or are selectively employing only a few. In this day of instantaneous electronic information exchange and24x7x365 Internet-connectivity, infrequent monitoring and under utilized IT controls will likely contribute to more instances of sensitive data loss.
Also unique among the leading firmsthose with the lowest data lossesare two typesof non-core business data that are considered to be among their most sensitive data:
IT security data
Regulatory audit and reporting data
Unfortunately, the leading organizations are in a distinct minority when it comes toprotecting sensitive data, including IT security and regulatory audit data. Failing to pro-tect IT security and regulatory audit data can be compared to a bank giving away thecombination to the vault. And yet, that is exactly what most organizations are doing. Worse still, without sufficient controls in place, most organizations are shining a spotlight on the location of the vault, helping thieves tiptoe their way in and out tocomplete a burglary without being detected. Instead of securities and cash: organizations with sensitive data losses are putting the business as well as customer data at risk.
Based on the experiences of leading organizations, the decision to protect sensitivedata represents far less riskand far less costthan would be required to remedy a data breach: to find and replace lost customers, lost revenue, not to mention the
substantial damage to the image of the organization and its brand.
8/8/2019 Taking Action to Protect Sensitive Data
6/32
8/8/2019 Taking Action to Protect Sensitive Data
7/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 5
Technologies Place bets on multiple IT control baskets to protect data, especially the following:
Auditing, measurement and reporting tools
Network access controls
Application, server and PC access controls
Internet threat controls
Data protection and cryptography tools
If these are in place, aim to include additional IT controls, including data archive andrestore systems; IT asset tracking and reporting tools; IT configuration managementtools; data leakage, audit and reporting tools; IT change management tools; and role-based access controls.
Organizational strategy
The first line of defense to protect datainclude all the people who are handling data: this includes data outsourced andmanaged by business partners, not justemployees Review and update policiesfor sensitive data protection, handling,retention and destruction. Conducttraining and implement accountability programs that reward good behaviorand compliance with policies.
While some parts of the organizationmay be better suited to fulfill the rolesof data guardians and data custodians,do not make data protection the sole responsibility of internal controls, employeeshandling sensitive customer data, business unit managers, IT, legal or human resources:it is everyones job.
Key findings
Its hard to imagine what businesses would do without technology. With most commercial
interactions (and transactions) riding on multiple internal and external electronicenvironmentsand ever-mounting mandates for demonstrating accountabilityorganizations have more incentive than ever to keep core business data safe andsecure. What are companies doing to protect their data, and are these efforts successful?
This Benchmark report provides a clearer understanding of the state of data protectionacross many different industries, and compares the characteristics, strategic and tacticalactions for improving results. Due to the under-reported nature of the issueno organ-ization wants to be featured on the front-page of the business press for losing customerdatathe findings and numbers are enlightening, compelling, and hopefully will actas a diagnostic framework for taking action that will help to reduce data loss, customerloss, revenue loss and hence improve results.
Failing to protect IT security andregulatory audit data is like a bank
giving away the combination tothe vault. And this is exactly what
most firms are doing. Insteadof securities and cash, these firms
are putting sensitive data,
customers, revenues and businessfutures entirely at risk.
8/8/2019 Taking Action to Protect Sensitive Data
8/32
Unconfirmed reports of sensitive data loss Whatever the causewhether data wasreported as missing, leaked, accidentally deleted, destroyed or stolenon average,organizations experience 26 reported butunconfirmed losses of sensitive data per year. More telling is the distribution of such data losses:
Industry lagging organizations, 20 percenthaving the worst data loss reports; are experiencing the highest rates of uncon- firmed sensitive data losses, averaging
64 unconfirmed but reported losses of sensitive data annually
Industry normative organizations,68 percent of organizations with lossreports in the middle of the pack;experience a more moderate level of 19 unconfirmed but reported data losses each year
Industry leading organizations, 12 percent of organizations with the fewest reportsof data loss; experience five (5) unconfirmed but reported data losses each year
Data loss results: confirmed losses of sensitive data
Fortunately, most organizations are experiencing actual loss rates that are much lowerthan the suspected and reported losses of sensitive data. However, confirmed data lossexperience varies widely, with some organizations experiencing much larger confirmedlosses and a minority experiencing very small confirmed data losses (Figure 1).
Much like unconfirmed reports of data loss the distribution of actual loss experience shows:
Industry lagging organizations, 20 percent having the worst data losses; experience the highest rates of confirmed sensitive data losses, averaging 22 actual losses of sensitive data annually
Industry normative organizations, 68 percent with middle-of-the-road data losses;experience a more moderate number of six (6) confirmed data losses per year
Industry leading organizations, 12 percent with the fewest data losses; experience fewer than two (2) confirmed data losses each year
Taking Action to Protect Sensitive Data
6 2007 IT Policy Compliance Group
What was measured by this benchmark
Measured:
Data reported as missing, leaked,accidentally deleted,destroyedor stolen
Data confirmed as missing, leaked,accidentally deleted,destroyedor stolen
Not measured:
Data losses distinguished by type of event, including how much data wasmissing, leaked, deleted, destroyed,or stolen among others.
8/8/2019 Taking Action to Protect Sensitive Data
9/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 7
Figure 1: Sensitive data loss resultsSource: IT Policy Compliance Group, 2007
Which data are most sensitive?
Not all data are valued, nor are considered as sensitive equally, due to differences inmission, values of the organization, competitive value, financial value, brand reputation,and regulatory audit risk among other factors. Still, there are certain types of data thatare moreand lesssensitive across all industries.
Highly sensitive and valued data
Across all industries, the data considered most sensitive, include:
1. Customer data
2. Financial data
3. Corporate data
4. Employee data
5. IT security data
Moderately sensitive data
Types of data considered moderately sensitive include business partner data, sales data,intellectual property data, and regulatory audit and reporting data.
Less valued data
The type of data ranked as least sensitive include data on manufacturing and related
design data, along with sourcing and logistics data (Figure 2). Although potentially not appropriate for specific industries, this ranking of datasensitivity provides some insight into the value of data across a broad spectrumof organizations.
Performanceclassification
Industr y laggards
Industr y norm
Industr y leaders
Confirmed annual lossesof sensiti v e data
22
6
Less than 2
Industry leaders:12%
Industry norm:68%
Industry la gg ards: 20%
Population e x periencing lossesN: 201
8/8/2019 Taking Action to Protect Sensitive Data
10/32
Figure 2: Least and most sensitive data Source: IT Policy Compliance Group, 2007
Most sensitive data among organizations with the fewest losses The type of data that are considered most sensitive by leading organizationsthose with the fewest confirmed data lossesinclude IT security data, customer data, corporatedata, employee data, financial data, and regulatory audit and reporting data.
Most sensitive data among organizations with the largest losses
The data considered most sensitive by lagging organizationsthose with the highestconfirmed data lossesare financial data, customer data, corporate data, employeedata, and regulatory audit and reporting data.
Data considered most sensiti v e
Data considered least sensiti v e
0%
1 2 3 4 5 6 7 8 9 10 11 12
10%
20%
30%
40%
50%
60%
70%
80%
P e r c e n t a g e o
f o r g a n
i z a t
i o n s
1. Customer data2. Corporate data3. Emplo y ee data4. Business partner data5. Financial data6. Sales data
7. Design data8. Manufacturing data9. Sourcing and logistics data
10. Intellectual propert y data 11. A udit and reporting data 12. IT securit y data
Taking Action to Protect Sensitive Data
8 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
11/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 9
Differences by data loss results IT security data is ranked as the most sensitive data by 92 percent of firms with thelowest rate of actual data losses. By comparison, only 46 percent of the lagging organizations, firms with the highest confirmed cases of sensitive data loss, rank ITsecurity data as the most sensitive data.
A comparable variance occurs with regulatory audit and reporting data. Seventy-fivepercent of leading organizations rank audit and reporting data as their most sensitivedata. This compares with 37 percent of lagging organizations that rank IT security dataas their most sensitive data (Figure 3).
Figure 3: What lagging and leading organizations consider sensitiveSource: IT Policy Compliance Group, 2007
Industr y leaders: fe w estsensiti v e data losses
Industr y laggards: mostsensiti v e data losses
1 2 3 4 5 6 7 8 9 10 11 12
100%
80%
60%
40%
20%
0%
P e r c e n t a g e o f o r g a n
i z a t
i o n s
1. Customer data2. Corporate data3. Emplo y ee data4. Business partner data5. Financial data6. Sales data
7. Design data8. Manufacturing data9. Sourcing and logistics data
10. Intellectual propert y data 11. A udit and reporting data 12. IT securit y data
8/8/2019 Taking Action to Protect Sensitive Data
12/32
Leading organizations: leveraging the sentinels guarding valued business dataCompanies seeking improved data protection results would do well to take the necessary steps needed to protect IT security data. As sentries guarding and documenting themovement of business data, the experience of leading organizations indicates thatprotecting IT security data and regulatory audit and reporting data is a necessary firststep toward protecting sensitive and valued business data.
In contrast, almost 70 percent of firms, those with middle-of-the-road rates of data losses,are principally focused on protecting financial data, secondarily on protecting otherforms of business data and, perhaps thirdly, on protecting IT security data, the mechanismsproviding access to valued business data.
Among lagging organizations, the sensitivity of IT security data and IT audit and reporting data, which provides evidence of access to sensitive business data, are below meanfor the entire population. This indicates the firms with the highest data losses may be unaware, unwilling, or unable, to protect access to core business data and recordsof such access.
How else do leading organizations differ?
When the ranking of sensitive data types is compared to the mean results of the popu-lation, the picture that emerges reinforces the importance of the value of IT security and regulatory data for protecting core business data among leading organizations(Figure 4).
The type of data that leading organizations consider sensitive include, in order: IT security data, customer data, corporate data, regulatory audit and reporting data, employee
data, financial data and intellectual property data as the most sensitive data.Organizations operating at the industry norm are focusing on almost all the samebusiness data as those that are leading, but do not consider IT security data andregulatory audit data as sensitive. Lower valuations also emerge within the normativegroup for intellectual property and business partner data.
Taking Action to Protect Sensitive Data
10 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
13/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 11
Figure 4: Data sensitivity by type and loss ratesSource: IT Policy Compliance Group, 2007
By comparison, the only data that is as highly valued as sensitive by lagging organizationsis financial data. Customer and corporate data are valued slightly above the mean.Otherwise, no other forms of data are considered sensitive by firms with the mostdata losses.
Leading causes of data loss
The three leading causes of sensitive data loss for all organizations are:
User errors
Violations of policy
Internet-based threats, attacks and hacks
Customer data
Lagging organizations
Leading organizations
Industr y norm
Corporate data
Emplo y ee data
Business partner data
Financial data
Sales data
Design data
Manufacturing data
Sourcing and logistics data
Intellectual propert y data
Regulator y audit and reporting data
IT securit y data
8/8/2019 Taking Action to Protect Sensitive Data
14/32
Human error is driving data losses In one form or another, human error is the overwhelming cause of sensitive data loss,responsible for 75 percent of all occurrences. User error is directly responsible for onein every two cases (50 percent) while violations of policyintended, accidental andinadvertentis responsible for one in every four cases (25 percent). Malicious activity in the form of Internet-based threats, attacks and hacks is responsible for one in every five occurrences (Figure 5).
After these top-three causes of data loss, the common causes of data loss include: lostor stolen PC laptops, accidental damage to computing equipment; IT vulnerabilities;inappropriate usage of IT resources; insufficient IT controls; employee manipulationand malfeasance; insufficient controls on business procedures; inappropriate accessto IT resources; improperly transferred backup media; and insufficient auditing
monitoring and reporting.
Figure 5: Leading causes of data loss
Source: IT Policy Compliance Group, 2007
1 in 2
1 in 3
1 in 4
1 in 5
1 in 10
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
N: 201
1. Lost or stolen laptops2. Improperl y disposed of computer equipment3. User errors4. Improperl y transferred backup media5. Inappropriate access to IT resources6. Insufficient controls on business procedures7. Insufficient controls on IT procedures8. Internet threats, attacks and hacks
9. Emplo y ee manipulation and malfeasance 10. A ccident and damage to computing equipment 11. Inappropriate usage of IT resources 12. V iolation of policies 13. Unauthorized access to IT resourced 14. Insufficient auditing, monitoring and reporting 15. IT v ulnerabilities16. Insufficient IT controls
C a u s e o f
d a t a
l o s s e s
b y n u m
b e r o f e v e n t s
Taking Action to Protect Sensitive Data
12 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
15/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 13
Although human error accounts for the vast majority of the causes of sensitive dataloss, thereafter, the causes of data losseach of which account for between two inten to one in ten instancesare more evenly distributed and less focused.
Among the least frequent cause of data loss are improperly disposed-of computing equipment, unauthorized access to IT resources and insufficient controls on IT procedures,each of which account for less than one in every ten instances of sensitive data loss.
Causes of data loss varies by performance results
Although the primary cause of data loss for most organizations is the interactionof people with computing systems, the specific causes of loss vary by performanceresults. Among organizations with the highest loss rates, employee manipulation andmalfeasance, insufficient auditing and monitoring along with insufficient IT controlsare among the top five leading causes of data loss. Among firms with the fewest losses,employee manipulation and malfeasance as well as inappropriate use of IT resourcescreep into the top five causes for data loss. Lastly, lost or stolen laptops, along withinsufficient controls in IT and on business procedures are among the top five causesof data loss among the vast majority of firms (Table 1).
Table 1: Cause of data loss, laggards to leadersSource: IT Policy Compliance Group, 2007
Top fi v e causesof data loss
22data losses
6 datalosses
Fe w er than2 data losses
V iolations of polic y (1 in 3 e v ents)
User errors(1 in 2 e v ents)
User errors(1 in e v er y 1.5 e v ents)
User errors(1 in 3 e v ents)
V iolations of polic y (1 in 4 e v ents)
Internet threats,attacks and hacks
(1 in 3 e v ents)
Emplo y eemanipulation
and malfeasance(1 in 4 e v ents)
Internetthreats, attacks
and hacks(1 in 6 e v ents)
Inappropriateusage of IT resources
(1 in 4 e v ents)
1
2
3
Insufficientauditing andmonitoring
(1 in fi v e e v ents)
Lost or stolenlaptops
(1 in 7 e v ents)
V iolations of polic y (1 in 6 e v ents)
4
Insufficient ITcontrols
(1 in 5 e v ents)
Insufficientcontrols in IT and
on businessprocedures
(1 in 8 e v ents)
Emplo y eemanipulation
and malfeasance(1 in 6 e v ents)
5
Industr y lagging Industr y norm Industr y leading
8/8/2019 Taking Action to Protect Sensitive Data
16/32
The primary channels for sensitive data lossThe three largest conduits through which sensitive data are being lost, stolen,destroyed, or misplaced include:
Data residing on PCs, laptops and other mobile devices
Data leaking through email, instant messaging and other electronic channels
Data that is accessible through applications and databases
Top three conduits for data loss
Sixty-two (62) percent of organizations cite data residing on PCs, and laptops andmobile field devices as the primary venues through which data are being lost. This is
followed by 52 percent of organizations that are experiencing data leaking throughemail, instant messaging and other electronic channels as the primary conduit for dataloss. Rounding out the top three loss venues, 43 percent of organizations are grappling with data losses occurring through applications, databases and the systems on whichapplications and databases are operating (Figure 6).
After these three primary pipelines through which sensitive data is disappearing,organizations rank data that is transferred to backup and archive sites, data residing in centralized storage facilities and devices, and data that is in the hands of businesspartners and suppliers as the next three passageways for data loss.
Figure 6: Primary conduits for data lossSource: IT Policy Compliance Group, 2007
70%
60%
50%
40%
30%
20%
10%
0%1 2 3 4 5 6 87
1. Data residing on P Cs, laptopsand other mobile de v ices
2. Data leaking through Email,Instant Messaging and otherelectronic channels
3. Data residing in centralizedstorage facilities and de v ices
4. Data transferred to backup andarchi v e sites
5. Data that has been off-shoredor outsourced
6. Data in the hands of businesspartners and suppliers
7. Data accessible through applicationsand databases
8. Data in the hands of sales channel partners
P e r c e n t a g e o f o r g a n
i z a t
i o n s
Taking Action to Protect Sensitive Data
14 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
17/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 15
The only significant difference in the Benchmark is for data that has been outsourcedor off-shored. Thirty-one percent of lagging organizations and 29 percent of leading organizations are finding that outsourced or off-shored data is a primary avenue fordata loss, while only eight percent of firms operating at the norm experienced lossesof sensitive data that had been outsourced or off-shored.
Responding to the challenge of protecting sensitive data
How organizations prioritize and respond to the challenges of protecting sensitive datavaries by performance results, with very large differences between the leaders and allother organizations, and smaller differences between laggards and firms operating atthe norm (Table 2).
Among firms with the highest data losses, the primary challenges include determining gaps and exposures that are leading to data loss, monitoring and measuring compliance with policy, and maintaining IT controls for sensitive data. Lagging organizations areresponding to their challenges to protect sensitive data by changing IT policies andprocedures, delivering training to employees and contractors about policies, andchanging business procedures. Normative organizations are uniquely challenged tochange the behavior of employees and contractors. These organizations are responding to their challenges to protect sensitive data by changing IT policies, changing businessprocedures and delivering training to employees and contractors.
Despite these differences, the importance of instituting and enforcing sound policiesand procedures comes through loud and clear. Put another way, no amount of training will overcome poorly conceived or supported policies, or have a significant effect untilsound policies and procedures along with a shared sense of ownership are put in place
for all employees and contractors. In addition to other findings and recommendationsin this benchmark, responding to the challenges will require organizations to developand institute cultural imperatives that foster the protection of sensitive data.
Despite some similarities, the leaders have one challenge not faced by other organizations:the need to classify sensitive data. Likewise, the leaders are responding very differently to the challenge of protecting sensitive data, and are especially focused on inventorying sensitive data while automating controls and procedures to protect data.
8/8/2019 Taking Action to Protect Sensitive Data
18/32
Table 2: Challenges and responsesSource: IT Policy Compliance Group, 2007
Leading organizations: uniquely responding
A challenge uniquely found among the organizations with the fewest data losses is
classifying data. Moreover, the prioritized responses being taken by the leaders areunlike all other organizations, and include:
1. Automating IT controls and procedures for protecting sensitive data
2. Maintaining an inventory of sensitive data
3. Increasing the frequency of monitoring and measurements
Having established policies and procedures along with a shared sense of ownershipto solve the problem of data loss, the leaders are taking the next steps to reduce andmitigate data losses.
Prioritizedranking
Industr y lagging Industr y norm Industr y leading
22data losses
Challenges Responses Challenges Responses Challenges Responses
Determining gaps and
ex posures forsensiti v e data
Changing IT policies and
procedures
Maintaining IT controls forsensiti v e data
Changing IT policies and
procedures
Maintaining IT controls forsensiti v e data
Classif y ing and protecting sensiti v e data
A utomating IT controls andprocedures for
protecting sensiti v e data
6 datalosses
Fe w er than2 data losses
1
Monitoring and measuring
compliance
w ith policies
Deli v ering training to
emplo y ees and
contractors
Determining gaps and
ex posures for
sensiti v e data
Changing business
procedures
Maintaining aninv entor y of sensiti v e data
2
Monitoring and measuring
compliance w ith policies
Maintaining IT controls forsensiti v e data
Changing business
procedures
Changing thebeha v ior of
emplo y ees andcontractors
Deli v ering training to
emplo y ees andcontractors
Increasing thefrequenc y of monitoring
andmeasurements
3
Taking Action to Protect Sensitive Data
16 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
19/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 17
Strategic actions to protect sensitive data In addition to responding differently, organizations are taking different strategic actionsto protect sensitive data and the leading organizations, those with the fewest data losses,are taking very different actions to protect sensitive data (Figure 7).
Figure 7: Strategic actions taken to protect sensitive data Source: IT Policy Compliance Group, 2007
Industry leading organizations: different strategic actions
Firms with the lowest number of data losses are taking five principle strategic actionsto protect sensitive data. These actions include:
Increasing the frequency of measuring and reporting on the efficacy of controlsand procedures
Delivering training to employees and contractors
Modifying IT security controls and procedures
Modifying policies standards and procedures
Holding employees accountable to policies and standards
In contrast, lagging organizations are below mean for seven of the eight strategicactions, while firms operating at the norm for protecting data are below mean for threeof the eight strategic actions. What is particularly telling is the one action with the mostdivergence between the leaders and all other organizations: an increase in auditing,measurement and auditing.
Lagging organizations
Industr y norm
Modified policies, standardsand procedures
Deli v ered training to emplo y eesand contractors
Changed roles and responsibilities
Centralized the storage or sensiti v edata
Modified IT securit y controls andprocedures
Modified the classification of data
Increased auditing, monitoring andreporting
Held emplo y ees accountable topolicies and standards
15%
Leading organizations
8/8/2019 Taking Action to Protect Sensitive Data
20/32
Example: a major bank in the United States In addition to taking these top-five strategic actions for leading organizations, at amajor bank in the Unites States the responsibility for safeguarding customer data wasbroadened to include employees who managed customer accounts in the businessand consumer divisions. These employees were trained on the new procedures andpolicies for the handling of sensitive customer data. This organization also implementedquarterly data reviews as part of compensation review for account managers. The ITorganization at this bank moved from measuring and monitoring controls and proceduresonce quarterly to once weekly, scheduled on random days from one week to the next.
Example: a manufacturing firm in Europe
A large manufacturing firm in Europe decided to implement additional controls on theinformation flowing through its electronic channels in order to first identify, and thenreduce losses of sensitive data. After identifying the primary sources of data loss, thisfirm implemented new policies, procedures and controls. It introduced training foremployees and increased the frequency of its controls and procedures monitoring regimen to weekly.
Example: a mid-size insurance company
A medium-size insurance company suspected it was losing some type of data. Aftermonitoring and documenting data losses, it implemented a multi-disciplinary team tooverhaul its policies, controls, procedures, and monitoring of sensitive data. Today, thefirm identifies the potential impact for most sensitive data losses duringor within afew minutes ofeach occurrence.
Example: a larger legal services firm
This organization decided to classify all of its data, implement new policies and procedures,and hold all employees accountable to new standards. The firm now implementsaround-the-clock monitoring of controls and procedures for sensitive data.
Better results: more frequent monitoring and measurement
Organizations with the fewest datalossesindustry leading organizationsare monitoring and measuring theeffectiveness of controls and procedures
to protect sensitive data, on averageonce every four days. This rate of auditand monitoring is vastly higher thanthe remaining organizations, which aremonitoring controls and procedures onceevery six to seven months (Figure 8).
Taking Action to Protect Sensitive Data
18 2007 IT Policy Compliance Group
Organizations with the fewestdata losses are monitoring and
measuring the effectivenessof controls and procedures toprotect sensitive data once
every four days.
8/8/2019 Taking Action to Protect Sensitive Data
21/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 19
Blind monitoring of controls on a more frequent basis, by itself, is unlikely to stem datalosses. However, the Benchmark findings are clear: 100 percent of the leading firmsthose with the fewest losses of sensitive dataare monitoring controls and proceduresfor sensitive data on at least a weekly basis. This single action, weekly monitoring of controls and procedures, is subscribed to by all leading firms, and is the strategicactions that is making a significant contribution to retarding and eliminating the loss of sensitive data.
By comparison, nearly all other firms (97 percent) are monitoring the effectiveness of controls and procedures on a substantially less frequent basis, ranging from monthly to annually. In fact, the average time between measurements for most organizationsare once every 176 days while the minority lagging institutions are even more lax,measuring once every 205 days.
Figure 8: Frequency of monitoring and measurementSource: IT Policy Compliance Group, 2007
Lagging 22 data losses
annuall y
Norm6 data losses
annuall y
Leading Less than 2data losses
annuall y
Once e v er y 205 da y s
Once e v er y 176 da y s
Once e v er y 4 da y s
Performanceresults
Frequenc y of measurement
60%
50%
40%
30%
20%
10%
0%1 2 3 4 5
P e r c e n t a g e o
f o r g a n
i z a t
i o n s
Effecti v eness of controls and procedures forprotecting sensiti v e data are measured:
1. Once annuall y 2. Once per quarter3. Once per month4. Once per w eek 5. Once per da y
Industr y leading Industr y norm
Industr y lagging
8/8/2019 Taking Action to Protect Sensitive Data
22/32
Time allocated to protecting sensitive data Leading organizations, firms with the lowest number of data losses, are devoting 33percent of the total time spent by IT to protect sensitive data: more than seven days permonth. By comparison, normative and lagging organizations are, respectively, spending 22 percent and 14 percent of the time in IT on protecting sensitive data (Table 3).
Table 3: Time spent by IT on protecting data Source: IT Policy Compliance Group, 2007
The Benchmark findings show that firms spending more time on the most importantstrategic actions are rewarded with lower confirmed data losses. In summary, theactions being taken by industry leading organizations that are resulting in the low loss
rates include: Monitoring and measuring controls and procedures weekly
Delivering training to employees and contractors
Modifying IT security controls and procedures
Modifying policies standards and procedures
Holding employees accountable to policies and standards
22 datalosses annuall y
Time spent b y IT on theprotection and handling
of sensiti v e data
6 datalosses annuall y
Fe w er than 2data losses annuall y
3.0 da y sper month
4.7 da y sper month
7.1 da y sper month
14% 22% 33%
Number of full da y sper month spent b y IT onprotecting sensiti v e data
Percentage of timededicated b y IT to
protecting sensiti v e data
Industr y lagging Industr y norm Industr y leading
Taking Action to Protect Sensitive Data
20 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
23/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 21
IT controls and sensitive data lossesLeading organizationsthose with the least number of data lossesare employing many different IT controls to help stem data losses. This is in stark contrast to all otherfirms where IT controls are either not being employed or only a limited set of controlsare being employed (Figure 9).
Use of IT controls among leading organizations
Reliance on IT controls among the leading organizationsthe firms with less than twosensitive data losses in the past yearis significantly higher than the mean for fivetechnologies, and higher than the mean for another six technologies.
The five primary IT controls being employed by industry leading organizations to betterprotect sensitive data include:
Audit, measurement and reporting tools
Network access controls
Application, server and PC access controls
Internet threat controls
Data protection and cryptography tools
After these five, a secondary group of six IT controls is being utilized by firms with thelowest data losses. These controls include: data archive and restore systems; IT assettracking and reporting tools; IT configuration management tools; data leakage, auditand reporting tools; IT change management tools; and role-based access controls.
What is noticeable about organizations with the lowest data losses is the widespreaduse of many different IT controls to protect sensitive data. What is even more interesting is the almost continuous measurement of controls and procedures. Instead of assuming the IT controls are working to protect data, the leaders are placing many different ITcontrols in the environment, and are monitoring and measuring weekly.
Use of IT controls among normative firms
In contrast, organizations operating at thenorm, those with an average of six annualdata losses are primarily using accesscontrols for applications, servers and PCs,along with access controls for networks toprotect sensitive data.
Use of IT controls among lagging firms
Lagging firmsthose with the most datalossesare well behind the mean when itcomes to using any IT controls to protect sensitive data. The only controls that areabove the mean, and only slightly, are auditing, measurement and reporting tools.
Leading organizations areusing multiple IT controls to
reduce data loss.This is in stark contrast to all other firms where
IT controls are either not beingemployed or a limited set of
controls are being used.
8/8/2019 Taking Action to Protect Sensitive Data
24/32
Figure 9: IT controls from laggards to leadersSource: IT Policy Compliance Group, 2007
Lost data: lost revenues, lost customers and additional expensesIn a related but separate benchmark that was conducted in December of 2006 by the ITPolicy Compliance Group with another 254 organizations, one of the principle findingsthat emerged is that data losses that are publicly reported are resulting in revenue losses,lost customers and additional expenses. For all organizations, the average impact of data thefts and loss include:
An eight percent loss of customers
An eight percent decline in revenue
Additional expenses of $100 per record to notify customers and restore data
Clearly, data is money and the business and financial impact of data theft and loss are real.
Data archi v e and restore s y stems
Industr y laggards
Industr y leaders
Industr y norm
A uditing, measurement and reporting tools
Data tagging and records management tools
Data protection and cr y ptograph y
Internet threat controls
Net w ork access controls
A pplication, ser v er and P C access controls
Data pattern matching and reporting tools
Data content filtering and reporting tools
Role based access controls
Data leakage, audit and reporting tools
IT asset tracking and reporting tools
IT configuration management tools
IT change management tools
15%Dev iation from mean,
Taking Action to Protect Sensitive Data
22 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
25/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 23
Benefits of protecting sensitive data The two primary benefits cited by all organizations for protecting sensitive data includeassurance of integrity for company brand and image, and less concern about electronictheft. Nearly one-in-two organizations (46 percent) cite assurance of integrity for thefirms brands and its image as the highest reward for protecting sensitive data. Slightly behind this, about one-in-three organizations (33 percent) say reduced concern aboutelectronic theft is the primary benefit of protecting sensitive data (Figure 10).
Figure 10: Benefits of protecting sensitive data Source: IT Policy Compliance Group, 2007
Ranked lower and by fewer organizations are a range of benefits, including: less concernabout data leakage and public news reports; reductions and/or avoidance of litigationand associated costs; less concern about external audit findings; improvements tocustomer loyalty and retention; continued business with major customers and trading partners; and less concern about competitive access to sensitive data. Ranked lowestand by the fewest number of organizations are reduced insurance costs and improve-ments to shareholder value.
50%
40%
30%
20%
10%
0%
1 2 3 4 5 6 7 8 9 10
1. Maintenance of shareholder v alue2. Impro v ed customer lo y alt y and retention
3. Less concern about e x ternal audit findings4. Reduction and/or a v oidance of litigation
and cost5. Continued business w ith ma jor customers
and trading partners
6. A ssurance of integrit y for compan y brandand image
7. Less concern about data leakage and publicne w s reports8. Reduced insurance cost9. Less concern about sensiti v e data being used
b y competitors10. Less concern about electronic theft
P e r c e n t a g e o f o r g a n
i z a t i o n s
8/8/2019 Taking Action to Protect Sensitive Data
26/32
How different are the leading organizations? Leading organizations, those with the least number of sensitive data losses, are experi-encing six key benefits for protecting data that are above mean. Of these, the benefitsare far above mean include assurance of integrity for the company brand and imagealong with less concern about data leakage and public news reporting (Figure 11).
Figure 11: Benefits from laggards to leadersSource: IT Policy Compliance.com, 2007
A correlated benefit being achieved by the leaders is less concern about electronictheft. The findings from the benchmark with 254 other organizations show a directrelationship between data loss rates,revenue losses, customer losses and
additional expenses. It is no wonder thatleading organizations also demonstrateabove mean results for customer retentionand loyalty, lower concern about externalaudit findings and less concern aboutsensitive data being used by competitors.
Aside from the benefit measured by this benchmark, the findings of the companionbenchmark on financial implications of data loss show that by protecting data, organiza-tions are not placing revenue, customers, and the future of the organization at risk.
Shareholder v alue maintained
Customer lo y alt y and retention impro v ed
Reduction or a v oidance of litigation and cost
Continued business w ith ma jor customersand trading partners
A ssurance of integrit y for compan y brandand image
Less concern about data leakage and publicne w s reports
Less concern about sensiti v e data being used b y competitors
Reduced insurance cost
Less concern about electronic theft
Less concern about e x ternal audit findings
11%Dev iation from mean,Industr y laggards
Industr y leaders
Industr y norm
Taking Action to Protect Sensitive Data
24 2007 IT Policy Compliance Group
It costs much less to protectsensitive data than it does
to replace lost customers and
incur damage to the image of theorganization and its brandan
irreplaceable asset in most cases.
8/8/2019 Taking Action to Protect Sensitive Data
27/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 25
Based on the benefits being realized and the results being achieved by leading organi-zations, it simply makes sound business sense to take action to protect sensitive data.It costs much less to protect sensitive data than it does to replace lost customers andrepair damage to the image of the organization and its brand equity, in most cases anirreplaceable asset.
Recommendations for action
Based on the benchmark findings, the key recommendations include:
Measure your own data losses
Identify the most critical sensitive data
Dont forget to protect critical IT security and audit data Reduce human errors
Inventory your IT controls, especially those for PCs, laptops, mobile field devices,Email, Web, Internet channels, applications and databases
Monitor and report on the effectiveness of controls and procedures weekly
If your organization does not know how much sensitive data is being lost, now is thetime to find out, before it becomes public knowledge. After determining how much and what type of data is being lost, focus on what it will take to protect the most sensitivedata, not all data. Do not forget to place IT security data and regulatory audit data atthe top of the list: one provides the keys to the vault, the other a record of what was
removed and who removed it.
IT controls and monitoring
Take an inventory of your IT controls to determine what is deployed and what needsto be deployed to protect sensitive data. Dont assume that one technical control isenough: the experience of the leaders shows that many controls, monitored weekly,is a key success criteria for protecting sensitive data. Resolve to monitor controls andprocedures covering sensitive data weekly. If your organization cannot achieve thisimmediately, set a date to achieve this and look for audit and measurement tools that will enable this.
Policy and organizational strategy
If policies covering sensitive data do not exist: develop these. Review policies that exist andmodify them to cover business and financial risks. Reduce human error where possible.Review and modify your policies regarding sensitive data, identify its custodians andguardians, develop and deliver training to employees and contractors and hold peopleaccountable.
Last but not least: make data protection part of the culture of the organization by making it everyones responsibility.
8/8/2019 Taking Action to Protect Sensitive Data
28/32
Author profileJim Hurley
Managing director, Research, IT Policy Compliance GroupResearch director, Symantec
Jim Hurley is managing director of the IT Policy Compliance Group and a director of research with Symantec Corporation. In his role, Jim is responsible for working withmembers to drive, field, and deliver benchmarks and reports that focus on enabling organizations to improve their IT policy compliance results. Jim comes to IT Policy Compliance Group and Symantec after more than 10 years as the vice president of research with Aberdeen Group, an independent research, analysis, and consulting organization. His 25 years in scientific, healthcare, IT and technology-related industries
have included multiple roles including management, operations, sales, marketing,customer service, research, design, development, and manufacturing.
Research methodology
This IT Policy Compliance Group Benchmark covering data losses and actions to improveresults was conducted with 201 organizations between August and October of 2006.The margin of error is plus or minus six percent. The majority of participating organiza-tions (90 percent) are located in the United States. The other ten percent are locatedaround the globe, in Germany, the United Kingdom, Australia, Brazil, Canada, the United Arab Emirates, and Japan and elsewhere. The companion benchmark covering financiallosses from data losses we conducted with another 254 organizations in Decemberof 2006. Demographic details of this companion benchmark will be included in anupcoming report.
Size of organizations
Thirty-five percent of the organizations participating in this Benchmark have annualrevenues, assets under management or budgets of less than $50 million. Another 35percent have annual revenues, assets under management or budgets that are between$50 million and $499 million. The remaining 30 percent have annual revenues, assetsunder management or budgets that are $500 million or more.
Taking Action to Protect Sensitive Data
26 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
29/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 27
Industries represented A wide range of industries participated in the benchmark including aerospace;automotive; banking; chemicals; computer equipment and peripherals; computersoftware and services; construction, architecture and engineering services; consumerelectronics; consumer packaged goods; distribution; education; financial and accounting services; general business and repair services; governmentpublic administration;governmentdefense and intelligence; health, medical and dental services; insurance;law enforcement; legal services; management, scientific and consulting services;manufacturing; medical devices; metals and metal products; mining, oil and gas;publishing, media and entertainment; real estate, rental and leasing services; retailtrade; transportation and warehousing; travel, accommodation and hospitality services; utilities; and wholesale trade. Manufacturing, along with health, medicaland dental services each account for 12 percent of participating organizations. Allother industries represent less than ten percent of participating organizations.
Number of operating locations
Forty eight percent of participating organizations operate from five or fewer locations.Thirty-five percent operate from between six and 49 locations. The remaining 17 percentoperate from 50 or more locations.
Number of employees
Thirty-six percent of participating organizations employ fewer than 250 persons.Thirty-six percent employ between 250 and 2,499 persons. The remaining 28 percentemploy 2,500 or more.
Participants
Twenty-six percent of participants in this Benchmark are senior managers (CEO, CFO,CIO, etc), 11 percent Vice Presidents, 36 percent managers or directors, 23 percent staff,and four percent internal consultants. Thirty-three percent of the participants work infinance and internal controls, another 28 percent work in IT, 10 percent are employedin customer service, and the remaining 29 percent are distributed across a wide rangeof job functions, including legal, compliance, sales, marketing, design, development,manufacturing, procurement, and logistics.
8/8/2019 Taking Action to Protect Sensitive Data
30/32
Appendix Data losses in the U.S. since ChoicePoint
Since the public announcement of sensitive data losses at ChoicePoint, February 15,2005 to January 19, 2007, the Privacy Rights Clearinghouse (PRC) has recorded 453separate incidents of data loss involving sensitive, personally identifiable informationabout one publicly reported data loss event every two days. According to the PRC, morethan 100 million records of personally identifiable data were exposed, stolen or lostduring this period.
The information collected by the PRC has been categorized by the date that a data loss was made public, the name of the organization involved, and the type and number of records involved. The IT Policy Compliance Group has not verified whether the datacompiled by the PRC is accurate and complete.
What is clear from the PRC information is that almost every industry has experiencedsensitive data loss, with some industries more affected than others. Moreover, mostof the institutions listed are widely known. The cause for the data breaches in these453 incidents, according to the PRC, ranges widely, from computer hacking to stolenlaptops and misplaced archive tapes, among other causes. The data from the PRC doesnot include unreported data breaches. It appears that much of the sensitive data lossescataloged by the PRC involve employee, customer, and financial data.
What is not clear is whether the data losses also involve corporate, business partner,sales, sourcing, logistics, manufacturing, design, audit, and IT security data.
The PRC information covering data breaches since ChoicePoint can be reviewed at its website: http://www.privacyrights.org/ar/ChronDataBreaches.htm.
Taking Action to Protect Sensitive Data
28 2007 IT Policy Compliance Group
8/8/2019 Taking Action to Protect Sensitive Data
31/32
Taking Action to Protect Sensitive Data
2007 IT Policy Compliance Group 29
About IT Policy Compliance Group sponsorsThe IT Policy Compliance Group is dedicated to promoting the development of research and information that will help IT security professionals meet the policy andregulatory compliance goals of their organizations. The IT Policy Compliance Groupfocuses on assisting member organizations to improve compliance results based onfact-based benchmarks.
The IT Policy Compliance Group Web site at www.itpolicycompliance.com featurescontent by leading experts in the world of compliance and published reports containing primary research. Research and benchmarks sponsored by the Group produce fact-basedinsight and recommendations about what is working and why.
The results of Group-sponsored research are designed to help security and compliance
professionals to: Benchmark IT policy compliance efforts against peers and best-in-class performers
Identify key drivers, challenges, and responses to implement successful IT policy andsecurity compliance initiatives
Determine the applicability and use of automation tools to assist, streamline, andimprove results
Identify best practices for IT policy and compliance programs
IT Policy Compliance Group sponsors
Symantec Corporation The Institute of Computer Security Protiviti20330 Stevens Creek Blvd. Internal Auditors Institute 1290 Avenue of the Americas,Cupertino, CA 95014 247 Maitland Ave. 600 Harrison St. 5th Floor+1 (408) 517 8000 Altamonte Springs, San Francisco, CA 94107 New York, NY 10104 www.symantec.com FL, 3270-4201, USA +1 (415) 947 6320 +1 (212) 603 [email protected] +1 (407) 937 1100 [email protected] [email protected]
[email protected] www.gocsi.com www.protiviti.com www.theiia.org
8/8/2019 Taking Action to Protect Sensitive Data
32/32
IT Policy Compliance Group
Managing Director, Jim Hurley Telephone: +1 (216) 321 7864 [email protected]
Managing Editor, John OrtbalTelephone: +1 (847) 444 0344 [email protected]
www.itpolicycompliance.com
February 2007
Founded in 2005, the IT Policy Compliance Group conductsbenchmarks that are focused on the interrelationships betweencompliance and IT with the aim of delivering fact-based guidanceto organizations on the steps that can be taken that will improvecompliance results. Benchmark results are reported through www.itpolicycompliance.com for the benefit of members.