Actu
New study reveals enterprises are Under-investing in the Protection of Corporate Secrets
April 2010 by Forrester consulting
RSA, The Security Division of EMC, and Microsoft announced the results of a commissioned
global survey conducted by Forrester Consulting on behalf of RSA and Microsoft,
entitled "The Value of Corporate Secrets: How Compliance and Collaboration Affect
Enterprise Perceptions of Risk." The
survey of 305 IT security decision-makers worldwide revealed that enterprises are
investing heavily in compliance and protection against accidental leaks of custodial
data (such as customer information), but under-investing in protection against theft
of far more valuable corporate secrets.
Security Spending Mis-aligned with Information Value
"Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data
privacy laws, data breach regulations, and existing data security policies is the
primary driver of their data security programs. Significant percentages of
enterprise budgets (39%) are devoted to compliance-related data security programs,"
according to Forrester Consulting’s study. "But secrets comprise 62% of the overall
information portfolio’s total value while compliance- related custodial data
comprises just 38%, a much smaller proportion. This strongly suggests that
investments are overweighed toward compliance."
"Companies are spending money to protect customer, medical and payment card
information, as they should, but more emphasis needs to be placed on protecting the
intellectual property and data that has intrinsic value to an organization," said
Sam Curry, CTO, Marketing, RSA, The Security Division of EMC. "If IP is lost, it
can cause long term competitive harm to an organization. The recent and
highly-sophisticated attacks targeting intellectual property of large multinational
companies are examples of this type of loss."
Information Theft is More Costly than Accidental Loss
The survey found that while organizations focus on data security incidents related
to accidental loss, information theft by employees or trusted outsiders is more
costly. For example, based on responses received in the survey, employee theft of
sensitive information is 10 times costlier than accidental loss on a per-incident
basis: hundreds of thousands of dollars versus tens of thousands.
"Insider risk is a real and growing threat and the modern enterprise environment of
collaboration with a variety of outside parties creates more opportunities for
leakage and theft," said John Chirapurath, senior director of the Identity and
Security Business Group at Microsoft. "This data illustrates that the more a
company has to lose in terms of information value, the more criminal activity it
will face."
A Need for Real Assessment and Measurement of Information Security
Despite a wide range in security spending, views on the value of information and the
number of security incidents reported among the respondents, nearly every company
surveyed rated its security controls to be equally effective.
"Most enterprises do not actually know whether their data security programs work or
not, other than by raw incident counting," according to Forrester Consulting.
"’Compliance’ in all its forms has helped CISOs buy more gear. But it has
distracted IT security from its traditional focus: keeping company secrets secure."
Together, Forrester, Microsoft and RSA are providing a set of recommendations
within the study to help enterprises ensure that their information security
strategies are appropriately balanced, including:
– Identify the most valuable information assets in the company’s portfolio
– Create a "risk register" of data security risks that document specific threat
scenarios
– Assess and reprioritize the IT security program’s balance between compliance and
protecting secrets
– Increase vigilance of external and third-party business relationships
– Measure data security program effectiveness
