Earlier we referenced a recent report that indicated that companies are spending too much time on compliance and not enough on protecting secrets. We thought we’d take a closer look and examine the study’s implications in the enterprise.
The Value Of Corporate Secrets: How Compliance And Collaboration Affect Enterprise Perceptions Of Risk surveyed 305 IT security decision-makers to understand how enterprises value and protect their enterprise information portfolios.
Increasing Demands, Misguided Priorities
Though chief information security officers (CISO) face increasing demands from their business units, regulator and business partners to safeguard their information assets, their priorities are misdirected. The study revealed that enterprises devote 80% of their security budgets to compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each.
In comparison, secrets comprise 62% of the overall information portfolio’s total value and compliance related custodial data comprises just 38%, a much smaller proportion.
Additionally, executives seem to underestimate the value of their information. While losing laptops and other information accidentally is never good, losing it through more malicious means is far worse.
Overall, executives don’t realize how effective their security controls are. No matter the information asset value, spending, or number of incidents observed, nearly every company rated its security controls to be equally effective -- even though the number and cost of incidents varied widely.
Even enterprises whose information has been compromised rated their programs as “very effective.” Obviously there are definitive misconceptions when it comes to enterprise security.
Information at Risk
But just what kind of information is going unprotected and is at risk of theft?
The report says that secrets and custodial data are at greatest risk. Secrets are proprietary company information that generates revenue, increases profits and maintains competitive advantage.
Custodial data, such as customer, medical and payment card information has value because regulations or contracts make it toxic when spilled and costly to clean up.
Secrets are usually the information that the enterprise create and want to keep from being released publicly. Yet, secrets aren’t always well organized and managed, making it easier to lose and steal.
Of course, it’s silly to think that companies want to lose any data. Losing custodial data isn’t ideal either for obvious reasons like undermining privacy issues and a company’s reputation.
Wasting Time and Money
Because companies underestimate the value of their data, mismanage company secrets and overestimate the security controls in place, it’s no surprise that they are wasting lots of time and money.
As well, the cost of losing data is even greater. The study showed that the total cost for all lost smartphone incidents was US$ 134,000, with about half incurring minimal or no costs. The average cost per incident was US$ 12,000.
Lost laptop incidents incurred slightly more cost and were slightly more serious, with a total cost of US$ 179,000 and a per-incident cost of US$ 26,000. Accidental leakages incurred just US$ US174,000 in total cost and had a per-incident cost of $26,000.
But that’s pennies compared to the costs associated with malicious theft by insiders and third parties. When a rogue employee steals sensitive company documents, it costs US$ 363,000 per incident. And damage caused by a rogue IT administrator costs US$ 452,000 on a per-incident basis.
Increased collaboration increases data security’s importance. Across the enterprise, companies can manage their information more securely by identifying threat scenarios and assessing the types of information given to third parties, especially the extent to which they are stored on non-company-owned assets. Ultimately paying closer attention and regularly monitoring security controls money can be saved while limiting risk.