Tuesday, December 04, 2007

IT Policy Compliance Group issues study on data breaches and information theft

Today, the IT Policy Compliance Group released an interesting report on the state of compliance and how it relates to the growing phenomenon of information theft and data breaches.

The IT compliance group is a non-profit organization supported by the Computer Security Institute, Institute of Internal Auditors, ISACA, IT Governance Institute, Protiviti and Symantec. The report reflects the findings of more than 450 organizations that were surveyed.

To sum up the main findings in the report:

The most recent benchmark research conducted by the IT Policy Compliance Group (IT PCG) reveals an intimate relationship between financial outcomes, sustained competitive advantage, data protection, and regulatory compliance.

The core competencies for protecting sensitive data are the result of this research and show the practices, procedures, and organizational strategies being implemented by organizations with the least loss and theft of sensitive data. A company’s ability to sustain its competitive advantage is enabled by protecting its sensitive data, resulting in better customer retention while protecting the brand and reputation of the firm. Protecting sensitive data helps a company avoid revenue loss, market capitalization loss, and unnecessary expenses.

The findings in the report show that a lot of organizations are struggling with high rates of data loss and theft. 87 percent of them suffer data losses, or theft 3-12+ times a year. The remaining 13 percent with three or less occurrences have something in common - an efficient and workable compliance program.
The organizations with the fewest occurrences focus on 30 or fewer control objectives. This is in stark contrast to the organizations with a higher occurrence rate, who focus on 80 or more control objectives.

These organizations (with the fewest occurrences) have examined their control points, carefully selected the most important ones and remain focused on them.

Organizations with the fewest occurrences inspect their control points more frequently. The most compliant organizations with the fewest occurrences inspect them an average of every 19 days. Those organizations with the most occurrences inspect their control points on an average of every 230 days.

Data breaches and information theft are getting more and more expensive for the organizations, who suffer the unfortunate experience of having one happen to them:

Financial outcomes from the loss or theft of sensitive data include customer defections, revenue declines, declines in stock price for publicly traded firms, and additional expenses (see Why Compliance Pays: Reputations and Revenues at Risk, IT PCG, July 2007). Additional financial risk results from expenses incurred for litigation, litigation settlements, consumer credit counseling, investigations, data restoration, and necessary(and after-the-fact) get-well efforts. Averaging nearly 8 percent of revenue, the expected losses from benchmarks conducted with hundreds of organizations are mirrored by actual experience.

The report points out that one shoe doesn't fit all when a data breach occurs -- but there is little doubt that the cost is rising and will continue to do so -- as more public awareness is created from all the play some of these breaches get in the media.

Also acknowledged is that despite the large amount of reported data breaches, there are many more that are never discovered.

Information is worth money, whether it is used to commit financial crimes or gain a competitive edge over another organization. These undiscovered occurrences are more valuable to the people stealing the information because nothing has been done to counter the fact that they have it.

The recent TJX data breach -- which is now being estimated by some sources at up to 100 million records lost -- has already caused TJX to claim a $118 million loss in their second quarter earnings.

A key finding in the report includes the importance of the human factor. Anyone who has studied information theft, or data breaches knows that the human factor is often what compromises information.

I've often written that no amount of security is going to stop a motivated person, who has been given access to the information.

Social engineering techniques are also used by criminals to trick employees into either giving up the information, or downloading software to compromise it by more technical means.

A good example of this is a recent study issued by the Treasury Inspector General for Tax Administration's Office. The report revealed that 60 percent of the IRS employees tested compromised sensitive information via social engineering techniques routinely employed by criminals.

According to the ITPCG report, here are the different causes of data breaches/information theft revealed by the study:

The conduits through which sensitive data is being lost and stolen include data residing on PCs, laptops, and mobile devices; data leaking through email, instant messaging, and other electronic channels; and data that is accessed through applications and databases.
Notably, most of the methods listed above require some human interface to occur.

It never ceases to amaze me when I see another report, where a laptop, tape, or disc is lost containing sensitive information. Even worse, we still see occurrences where the information was even encrypted.

A case to point would be the recent occurrence in the United Kingdom, where unprotected discs containing the information of 25 million children were being sent snail mail.

The report goes into more depth on how information theft occurs and states:

After user error, the most common contributions to data loss and theft include violations of policy, Internet threats and attacks, lost and stolen laptops, IT vulnerabilities, and insufficient controls in IT. These sources of data loss and theft can be countered with a combination of policy violation sanctions and procedural and technical controls.
The report sums it's findings up with the sources of compliance deficiencies. It's findings were that five areas are directly related to IT security, three areas are related to IT function and may relate to IT security, and two others that are directly related to procedures and may or may not involve IT.

Today, besides people, IT technology is what runs most organizations. The reason for this is obvious, it reduces costs and makes things run more efficiently. Given this, when IT technology is used improperly it has made criminals more efficient and provides them with new avenues to commit crimes.

Saying that, this report has a lot of valuable information for anyone developing a compliance program to protect this asset (information).

The report cites the Attrition.org data loss archive as a resource. This is also a valuable resource for anyone looking at the growing phenomenon of data breaches/information theft.

Here is statement of purpose for the IT Policy Compliance Group from their site:

The www.ITpolicycompliance.com web site is dedicated to promoting the development of actionable, fact-based findings that will help professionals to better meet the policy and regulatory compliance goals of their organizations. Supported by members such as the Institute of Internal Auditors, the Computer Security Institute, and Symantec (collectively known as the IT-Policy Compliance Group), the web site focuses on delivering information that will assist in improving IT compliance results based on primary benchmark research.

The full report is available on the site.

1 comment:

Ben Wright said...

Ed: As we see from the report, many data security breaches have been made public in recent years. But I believe more breaches are being reported than is wise. A minor security misstep should not warrant a public data breach announcement.

--Ben