A recently released study has reported that nine in ten firms are exposed to financial risks resulting in data loss or theft.
Complied by the IT Policy Compliance Group the research report is titled “Why Compliance Pays: Reputations and Revenues at Risk.”
According to the report organisations experiencing a publicly reported data loss can expect an eight percent decline in customers and revenue, an eight percent decline in the price per share for publicly traded firms and additional expenses averaging USD 100 per lost customer record.
Among larger enterprises, the probability of a publicly disclosed data loss is likely once every three years if the firm is currently operating as a laggard. In contrast, organizations with the best results have delayed the probability of data loss to once in every 42 years. The benchmarks show that the organizations excelling at compliance are the same firms with the least data losses and the least business disruptions from IT downtime.
“The vast majority of businesses and public institutions are still struggling with high rates of annual compliance deficiencies, resulting in business disruption, data loss and theft,” said James Hurley, principal software engineer, Symantec Corp. and managing director, IT Policy Compliance Group.
“While the probability of data loss and business disruption occurring in an organization is less a matter of ‘if’ than ‘when,’ there are a number of compliance, risk and governance practices that, if implemented correctly, could significantly reduce the frequency and impact of these events.”
The research shows that successful firms, those with the fewest data losses and thefts, are driving operational excellence in IT by improving compliance results, especially in IT general controls and IT security controls and procedures. More notable, the benchmarks show the least data loss among firms that are monitoring and measuring controls against objectives consistently, at least once every two weeks.
Based on what is working among organizations with the fewest data losses, the IT Policy Compliance Group report identifies practices that will assist businesses with improving IT compliance results, reduce business downtime, and reduce data loss and theft. These steps include:
• Implementing more and appropriate IT controls
• Reducing control objectives, making it easier to communicate, measure and report against
• Establishing higher standards for performance objectives
• Encouraging a culture of operational excellence in IT
• Conducting monitoring, measurement and reporting of controls against objectives at least once every two weeks
• Allocating more spend to controls automation
In addition to spending larger percentages of the IT budget on IT security controls, the firms with the fewest undisclosed latent data losses and least number of compliance deficiencies are reallocating monies away from external contract spend towards additional funding of equipment and software, specifically targeted at automating the monitoring and measurement of controls and procedures.
The IT Policy Compliance Group was formed to conduct benchmark research and promote best practices that help IT professionals successfully address policy and regulatory compliance challenges. It is made up of members from several leading organizations including: the Computer Security Institute, The Institute of Internal Auditors, Protiviti, Information Systems Audit and Control Association , IT Governance Institute, and Symantec Corporation
For more information and to download the latest research report, titled “Why Compliance Pays: Reputations and Revenues at Risk,” visit www.ITPolicyCompliance.com |
