Professional Documents
Culture Documents
Taking Action To Protect Sensitive Data
Taking Action To Protect Sensitive Data
Contents
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Implications and analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Recommendations for action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Unconfirmed reports of sensitive data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Data loss results: confirmed losses of sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Which data are most sensitive? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Leading causes of data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 The primary channels for sensitive data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Responding to the challenge of protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . .15 Strategic actions to protect sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Better results: more frequent monitoring and measurement . . . . . . . . . . . . . . . . . . . . . .18 Time allocated to protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 IT controls and sensitive data losses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Lost data: lost revenues, lost customers and additional expenses . . . . . . . . . . . . . . . . . .22 Benefits of protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 Recommendations for action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Author profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Research methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Data losses in the U.S. since ChoicePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 About IT Policy Compliance Group sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Executive summary
Key findings Extent of the data loss problem When it comes to data losses, not all organizations are alike: some are experiencing only a few while others are suffering from many losses of sensitive data. The benchmark shows that: About one in tentwelve percentorganizations are experiencing fewer than two losses of sensitive data each year The vast majority of organizations, almost seven in ten68 percentare experiencing six losses of sensitive data annually A fairly sizable two in ten organizationstwenty percentare suffering from 22 or more sensitive data losses per year The type of data being lost, stolen or destroyed The most sensitive losses are for data that is stolen, leaked or destroyed and includes: Customer data Financial data Corporate data Employee data IT security data Leading causes of data loss The leading causes of sensitive data loss are due to three primary problems that include: User errors Violations of policy Internet threats, attacks and hacks. Primary channels through which data are being lost The primary conduits through which sensitive data are being lost include: PCs, laptops and mobile devices Email, instant messaging and other electronic channels Applications and databases and the systems these operate on Financial impacts of data loss The average financial losses and costs being experienced by organizations from stolen and lost data that are publicly reported include: A loss of customers amounting to eight (8) percent A commensurate loss of revenue amounting to eight (8) percent $100 in expenses per customer record to notify customers and restore data that has been lost, stolen or destroyed
Key findings (continued) Taking action to reduce financial and sensitive data losses Actions proven to mitigate and reduce data loss that are being taken by firms with the fewest data losses, include: Measuring actual data losses Identifying the most critical sensitive data, including IT security and regulatory audit data Modifying policies and procedures Making data protection everyones business Inventorying IT controls, especially those for PCs, laptops, mobile field devices, Email, Web, Internet channels, applications and databases Employing many different IT controls to mitigate data loss, destruction, and theft Weekly monitoring and reporting on the effectiveness of controls and procedures Use of multiple IT controls Instead of being fixated on one IT control, such as cryptography to protect data on laptops, best-in-class organizations are employing multiple technologies, including: audit, measurement and reporting tools, network access controls, application, server and PC access controls, Internet threat controls, data protection and cryptography tools, and data archive and restore systems among others. Organizations with higher losses of sensitive data are either employing a limited selection of IT controls or are not using IT controls to help reduce sensitive data loss. The business benefits of protecting sensitive data The primary business benefits of protecting sensitive data include: Assurance of integrity for the company brand and image Lowered concerns about electronic theft Improvements in customer loyalty and retention Fewer customer defections Lower revenue losses Lower expenses to notify customers and restore data
Technologies Place bets on multiple IT control baskets to protect data, especially the following: Auditing, measurement and reporting tools Network access controls Application, server and PC access controls Internet threat controls Data protection and cryptography tools If these are in place, aim to include additional IT controls, including data archive and restore systems; IT asset tracking and reporting tools; IT configuration management tools; data leakage, audit and reporting tools; IT change management tools; and rolebased access controls. Organizational strategy The first line of defense to protect data include all the people who are handling data: this includes data outsourced and managed by business partners, not just employees Review and update policies for sensitive data protection, handling, retention and destruction. Conduct training and implement accountability programs that reward good behavior and compliance with policies.
Failing to protect IT security and regulatory audit data is like a bank giving away the combination to the vault. And this is exactly what most firms are doing. Instead of securities and cash, these firms are putting sensitive data, customers, revenues and business futures entirely at risk.
While some parts of the organization may be better suited to fulfill the roles of data guardians and data custodians, do not make data protection the sole responsibility of internal controls, employees handling sensitive customer data, business unit managers, IT, legal or human resources: it is everyones job.
Key findings
Its hard to imagine what businesses would do without technology. With most commercial interactions (and transactions) riding on multiple internal and external electronic environmentsand ever-mounting mandates for demonstrating accountability organizations have more incentive than ever to keep core business data safe and secure. What are companies doing to protect their data, and are these efforts successful? This Benchmark report provides a clearer understanding of the state of data protection across many different industries, and compares the characteristics, strategic and tactical actions for improving results. Due to the under-reported nature of the issueno organization wants to be featured on the front-page of the business press for losing customer datathe findings and numbers are enlightening, compelling, and hopefully will act as a diagnostic framework for taking action that will help to reduce data loss, customer loss, revenue loss and hence improve results.
2007 IT Policy Compliance Group 5
What was measured by this benchmark Measured: Data reported as missing, leaked, accidentally deleted, destroyed or stolen Data confirmed as missing, leaked, accidentally deleted, destroyed or stolen Not measured: Data losses distinguished by type of event, including how much data was missing, leaked, deleted, destroyed, or stolen among others.
Industry normative organizations, 68 percent of organizations with loss reports in the middle of the pack; experience a more moderate level of 19 unconfirmed but reported data losses each year
Industry leading organizations, 12 percent of organizations with the fewest reports of data loss; experience five (5) unconfirmed but reported data losses each year
Less than 2
Figure 1: Sensitive data loss results Source: IT Policy Compliance Group, 2007
80% 70% Percentage of organizations 60% 50% 40% 30% 20% 10% 0% 1 2 3 4 5 6 7 8 9 10 11 12
1. Customer data 2. Corporate data 3. Employee data 4. Business partner data 5. Financial data 6. Sales data
7. Design data 8. Manufacturing data 9. Sourcing and logistics data 10. Intellectual property data 11. Audit and reporting data 12. IT security data
Figure 2: Least and most sensitive data Source: IT Policy Compliance Group, 2007
Most sensitive data among organizations with the fewest losses The type of data that are considered most sensitive by leading organizationsthose with the fewest confirmed data lossesinclude IT security data, customer data, corporate data, employee data, financial data, and regulatory audit and reporting data. Most sensitive data among organizations with the largest losses The data considered most sensitive by lagging organizationsthose with the highest confirmed data lossesare financial data, customer data, corporate data, employee data, and regulatory audit and reporting data.
Differences by data loss results IT security data is ranked as the most sensitive data by 92 percent of firms with the lowest rate of actual data losses. By comparison, only 46 percent of the lagging organizations, firms with the highest confirmed cases of sensitive data loss, rank IT security data as the most sensitive data. A comparable variance occurs with regulatory audit and reporting data. Seventy-five percent of leading organizations rank audit and reporting data as their most sensitive data. This compares with 37 percent of lagging organizations that rank IT security data as their most sensitive data (Figure 3).
100%
60%
40%
20%
0% 1 2 3 4 5 6 7 8 9 10 11 12
Industry leaders: fewest sensitive data losses Industry laggards: most sensitive data losses
1. Customer data 2. Corporate data 3. Employee data 4. Business partner data 5. Financial data 6. Sales data
7. Design data 8. Manufacturing data 9. Sourcing and logistics data 10. Intellectual property data 11. Audit and reporting data 12. IT security data
Figure 3: What lagging and leading organizations consider sensitive Source: IT Policy Compliance Group, 2007
Leading organizations: leveraging the sentinels guarding valued business data Companies seeking improved data protection results would do well to take the necessary steps needed to protect IT security data. As sentries guarding and documenting the movement of business data, the experience of leading organizations indicates that protecting IT security data and regulatory audit and reporting data is a necessary first step toward protecting sensitive and valued business data. In contrast, almost 70 percent of firms, those with middle-of-the-road rates of data losses, are principally focused on protecting financial data, secondarily on protecting other forms of business data and, perhaps thirdly, on protecting IT security data, the mechanisms providing access to valued business data. Among lagging organizations, the sensitivity of IT security data and IT audit and reporting data, which provides evidence of access to sensitive business data, are below mean for the entire population. This indicates the firms with the highest data losses may be unaware, unwilling, or unable, to protect access to core business data and records of such access. How else do leading organizations differ? When the ranking of sensitive data types is compared to the mean results of the population, the picture that emerges reinforces the importance of the value of IT security and regulatory data for protecting core business data among leading organizations (Figure 4). The type of data that leading organizations consider sensitive include, in order: IT security data, customer data, corporate data, regulatory audit and reporting data, employee data, financial data and intellectual property data as the most sensitive data. Organizations operating at the industry norm are focusing on almost all the same business data as those that are leading, but do not consider IT security data and regulatory audit data as sensitive. Lower valuations also emerge within the normative group for intellectual property and business partner data.
10
Customer data Corporate data Employee data Business partner data Financial data Sales data Design data Manufacturing data Sourcing and logistics data Intellectual property data Regulatory audit and reporting data IT security data
Figure 4: Data sensitivity by type and loss rates Source: IT Policy Compliance Group, 2007
By comparison, the only data that is as highly valued as sensitive by lagging organizations is financial data. Customer and corporate data are valued slightly above the mean. Otherwise, no other forms of data are considered sensitive by firms with the most data losses.
11
Human error is driving data losses In one form or another, human error is the overwhelming cause of sensitive data loss, responsible for 75 percent of all occurrences. User error is directly responsible for one in every two cases (50 percent) while violations of policyintended, accidental and inadvertentis responsible for one in every four cases (25 percent). Malicious activity in the form of Internet-based threats, attacks and hacks is responsible for one in every five occurrences (Figure 5). After these top-three causes of data loss, the common causes of data loss include: lost or stolen PC laptops, accidental damage to computing equipment; IT vulnerabilities; inappropriate usage of IT resources; insufficient IT controls; employee manipulation and malfeasance; insufficient controls on business procedures; inappropriate access to IT resources; improperly transferred backup media; and insufficient auditing monitoring and reporting.
Cause of data losses by number of events
1 in 2
1 in 3 1 in 4 1 in 5
1 in 10
10
11
12
13
14
15
16
1. Lost or stolen laptops 2. Improperly disposed of computer equipment 3. User errors 4. Improperly transferred backup media 5. Inappropriate access to IT resources 6. Insufficient controls on business procedures 7. Insufficient controls on IT procedures 8. Internet threats, attacks and hacks N: 201
9. Employee manipulation and malfeasance 10. Accident and damage to computing equipment 11. Inappropriate usage of IT resources 12. Violation of policies 13. Unauthorized access to IT resourced 14. Insufficient auditing, monitoring and reporting 15. IT vulnerabilities 16. Insufficient IT controls
Figure 5: Leading causes of data loss Source: IT Policy Compliance Group, 2007
12
Although human error accounts for the vast majority of the causes of sensitive data loss, thereafter, the causes of data losseach of which account for between two in ten to one in ten instancesare more evenly distributed and less focused. Among the least frequent cause of data loss are improperly disposed-of computing equipment, unauthorized access to IT resources and insufficient controls on IT procedures, each of which account for less than one in every ten instances of sensitive data loss. Causes of data loss varies by performance results Although the primary cause of data loss for most organizations is the interaction of people with computing systems, the specific causes of loss vary by performance results. Among organizations with the highest loss rates, employee manipulation and malfeasance, insufficient auditing and monitoring along with insufficient IT controls are among the top five leading causes of data loss. Among firms with the fewest losses, employee manipulation and malfeasance as well as inappropriate use of IT resources creep into the top five causes for data loss. Lastly, lost or stolen laptops, along with insufficient controls in IT and on business procedures are among the top five causes of data loss among the vast majority of firms (Table 1).
Industry norm Industry leading
Fewer than 2 data losses User errors (1 in every 1.5 events) Internet threats, attacks and hacks (1 in 3 events) Inappropriate usage of IT resources (1 in 4 events)
Employee manipulation and malfeasance (1 in 4 events) Insufficient auditing and monitoring (1 in five events) Insufficient IT controls (1 in 5 events)
Internet threats, attacks and hacks (1 in 6 events) Lost or stolen laptops (1 in 7 events)
Table 1: Cause of data loss, laggards to leaders Source: IT Policy Compliance Group, 2007
13
Percentage of organizations
1. Data residing on PCs, laptops and other mobile devices 2. Data leaking through Email, Instant Messaging and other electronic channels 3. Data residing in centralized storage facilities and devices 4. Data transferred to backup and archive sites
5. Data that has been off-shored or outsourced 6. Data in the hands of business partners and suppliers 7. Data accessible through applications and databases 8. Data in the hands of sales channel partners
Figure 6: Primary conduits for data loss Source: IT Policy Compliance Group, 2007 14 2007 IT Policy Compliance Group
The only significant difference in the Benchmark is for data that has been outsourced or off-shored. Thirty-one percent of lagging organizations and 29 percent of leading organizations are finding that outsourced or off-shored data is a primary avenue for data loss, while only eight percent of firms operating at the norm experienced losses of sensitive data that had been outsourced or off-shored.
15
Prioritized ranking
Industry lagging
Industry norm
Industry leading
Determining Changing gaps and IT policies and exposures for procedures sensitive data
Maintaining Automating IT controls for IT controls and sensitive data procedures for protecting sensitive data Classifying Maintaining an and protecting inventory of sensitive data sensitive data
Monitoring Delivering and measuring training to compliance employees and with policies contractors Maintaining IT controls for sensitive data Changing business procedures
Changing the Delivering behavior of training to employees and employees and contractors contractors
Monitoring Increasing the and measuring frequency of compliance monitoring with policies and measurements
Leading organizations: uniquely responding A challenge uniquely found among the organizations with the fewest data losses is classifying data. Moreover, the prioritized responses being taken by the leaders are unlike all other organizations, and include: 1. Automating IT controls and procedures for protecting sensitive data 2. Maintaining an inventory of sensitive data 3. Increasing the frequency of monitoring and measurements Having established policies and procedures along with a shared sense of ownership to solve the problem of data loss, the leaders are taking the next steps to reduce and mitigate data losses.
16
Modified policies, standards and procedures Delivered training to employees and contractors Changed roles and responsibilities Centralized the storage or sensitive data Modified IT security controls and procedures Modified the classification of data Increased auditing, monitoring and reporting Held employees accountable to policies and standards
15%
Figure 7: Strategic actions taken to protect sensitive data Source: IT Policy Compliance Group, 2007
Industry leading organizations: different strategic actions Firms with the lowest number of data losses are taking five principle strategic actions to protect sensitive data. These actions include: Increasing the frequency of measuring and reporting on the efficacy of controls and procedures Delivering training to employees and contractors Modifying IT security controls and procedures Modifying policies standards and procedures Holding employees accountable to policies and standards In contrast, lagging organizations are below mean for seven of the eight strategic actions, while firms operating at the norm for protecting data are below mean for three of the eight strategic actions. What is particularly telling is the one action with the most divergence between the leaders and all other organizations: an increase in auditing, measurement and auditing.
17
Example: a major bank in the United States In addition to taking these top-five strategic actions for leading organizations, at a major bank in the Unites States the responsibility for safeguarding customer data was broadened to include employees who managed customer accounts in the business and consumer divisions. These employees were trained on the new procedures and policies for the handling of sensitive customer data. This organization also implemented quarterly data reviews as part of compensation review for account managers. The IT organization at this bank moved from measuring and monitoring controls and procedures once quarterly to once weekly, scheduled on random days from one week to the next. Example: a manufacturing firm in Europe A large manufacturing firm in Europe decided to implement additional controls on the information flowing through its electronic channels in order to first identify, and then reduce losses of sensitive data. After identifying the primary sources of data loss, this firm implemented new policies, procedures and controls. It introduced training for employees and increased the frequency of its controls and procedures monitoring regimen to weekly. Example: a mid-size insurance company A medium-size insurance company suspected it was losing some type of data. After monitoring and documenting data losses, it implemented a multi-disciplinary team to overhaul its policies, controls, procedures, and monitoring of sensitive data. Today, the firm identifies the potential impact for most sensitive data losses duringor within a few minutes ofeach occurrence. Example: a larger legal services firm This organization decided to classify all of its data, implement new policies and procedures, and hold all employees accountable to new standards. The firm now implements around-the-clock monitoring of controls and procedures for sensitive data.
Organizations with the fewest data losses are monitoring and measuring the effectiveness of controls and procedures to protect sensitive data once every four days.
18
Blind monitoring of controls on a more frequent basis, by itself, is unlikely to stem data losses. However, the Benchmark findings are clear: 100 percent of the leading firms those with the fewest losses of sensitive dataare monitoring controls and procedures for sensitive data on at least a weekly basis. This single action, weekly monitoring of controls and procedures, is subscribed to by all leading firms, and is the strategic actions that is making a significant contribution to retarding and eliminating the loss of sensitive data. By comparison, nearly all other firms (97 percent) are monitoring the effectiveness of controls and procedures on a substantially less frequent basis, ranging from monthly to annually. In fact, the average time between measurements for most organizations are once every 176 days while the minority lagging institutions are even more lax, measuring once every 205 days.
Effectiveness of controls and procedures for protecting sensitive data are measured: 60% Percentage of organizations Lagging 50% 40% Norm 30% 20% 10% 0% 1 2 3 4 5 6 data losses annually Leading Less than 2 data losses annually Once every 4 days Once every 176 days 22 data losses annually Once every 205 days
Performance results
Frequency of measurement
1. Once annually 2. Once per quarter 3. Once per month 4. Once per week 5. Once per day
Figure 8: Frequency of monitoring and measurement Source: IT Policy Compliance Group, 2007
19
Industry lagging
Industry norm
Industry leading
Time spent by IT on the protection and handling of sensitive data Number of full days per month spent by IT on protecting sensitive data Percentage of time dedicated by IT to protecting sensitive data
14%
22%
33%
Table 3: Time spent by IT on protecting data Source: IT Policy Compliance Group, 2007
The Benchmark findings show that firms spending more time on the most important strategic actions are rewarded with lower confirmed data losses. In summary, the actions being taken by industry leading organizations that are resulting in the low loss rates include: Monitoring and measuring controls and procedures weekly Delivering training to employees and contractors Modifying IT security controls and procedures Modifying policies standards and procedures Holding employees accountable to policies and standards
20
Lagging firmsthose with the most data lossesare well behind the mean when it comes to using any IT controls to protect sensitive data. The only controls that are above the mean, and only slightly, are auditing, measurement and reporting tools.
21
Data archive and restore systems Auditing, measurement and reporting tools Data tagging and records management tools Data protection and cryptography Internet threat controls Network access controls Application, server and PC access controls Data pattern matching and reporting tools Data content filtering and reporting tools Role based access controls Data leakage, audit and reporting tools IT asset tracking and reporting tools IT configuration management tools IT change management tools
15%
Figure 9: IT controls from laggards to leaders Source: IT Policy Compliance Group, 2007
22
Percentage of organizations
40%
30%
20%
10%
0% 1
1. 2. 3. 4.
10
Maintenance of shareholder value Improved customer loyalty and retention Less concern about external audit findings Reduction and/or avoidance of litigation and cost 5. Continued business with major customers and trading partners
6. Assurance of integrity for company brand and image 7. Less concern about data leakage and public news reports 8. Reduced insurance cost 9. Less concern about sensitive data being used by competitors 10. Less concern about electronic theft
Figure 10: Benefits of protecting sensitive data Source: IT Policy Compliance Group, 2007
Ranked lower and by fewer organizations are a range of benefits, including: less concern about data leakage and public news reports; reductions and/or avoidance of litigation and associated costs; less concern about external audit findings; improvements to customer loyalty and retention; continued business with major customers and trading partners; and less concern about competitive access to sensitive data. Ranked lowest and by the fewest number of organizations are reduced insurance costs and improvements to shareholder value.
23
How different are the leading organizations? Leading organizations, those with the least number of sensitive data losses, are experiencing six key benefits for protecting data that are above mean. Of these, the benefits are far above mean include assurance of integrity for the company brand and image along with less concern about data leakage and public news reporting (Figure 11).
Shareholder value maintained Customer loyalty and retention improved Less concern about external audit findings Reduction or avoidance of litigation and cost Continued business with major customers and trading partners Assurance of integrity for company brand and image Less concern about data leakage and public news reports Reduced insurance cost Less concern about sensitive data being used by competitors Less concern about electronic theft
11%
Figure 11: Benefits from laggards to leaders Source: IT Policy Compliance.com, 2007
A correlated benefit being achieved by the leaders is less concern about electronic theft. The findings from the benchmark with 254 other organizations show a direct relationship between data loss rates, revenue losses, customer losses and additional expenses. It is no wonder that leading organizations also demonstrate above mean results for customer retention and loyalty, lower concern about external audit findings and less concern about sensitive data being used by competitors.
It costs much less to protect sensitive data than it does to replace lost customers and incur damage to the image of the organization and its brandan irreplaceable asset in most cases.
Aside from the benefit measured by this benchmark, the findings of the companion benchmark on financial implications of data loss show that by protecting data, organizations are not placing revenue, customers, and the future of the organization at risk.
24
Based on the benefits being realized and the results being achieved by leading organizations, it simply makes sound business sense to take action to protect sensitive data. It costs much less to protect sensitive data than it does to replace lost customers and repair damage to the image of the organization and its brand equity, in most cases an irreplaceable asset.
25
Author profile
Jim Hurley
Managing director, Research, IT Policy Compliance Group Research director, Symantec Jim Hurley is managing director of the IT Policy Compliance Group and a director of research with Symantec Corporation. In his role, Jim is responsible for working with members to drive, field, and deliver benchmarks and reports that focus on enabling organizations to improve their IT policy compliance results. Jim comes to IT Policy Compliance Group and Symantec after more than 10 years as the vice president of research with Aberdeen Group, an independent research, analysis, and consulting organization. His 25 years in scientific, healthcare, IT and technology-related industries have included multiple roles including management, operations, sales, marketing, customer service, research, design, development, and manufacturing.
Research methodology
This IT Policy Compliance Group Benchmark covering data losses and actions to improve results was conducted with 201 organizations between August and October of 2006. The margin of error is plus or minus six percent. The majority of participating organizations (90 percent) are located in the United States. The other ten percent are located around the globe, in Germany, the United Kingdom, Australia, Brazil, Canada, the United Arab Emirates, and Japan and elsewhere. The companion benchmark covering financial losses from data losses we conducted with another 254 organizations in December of 2006. Demographic details of this companion benchmark will be included in an upcoming report. Size of organizations Thirty-five percent of the organizations participating in this Benchmark have annual revenues, assets under management or budgets of less than $50 million. Another 35 percent have annual revenues, assets under management or budgets that are between $50 million and $499 million. The remaining 30 percent have annual revenues, assets under management or budgets that are $500 million or more.
26
Industries represented A wide range of industries participated in the benchmark including aerospace; automotive; banking; chemicals; computer equipment and peripherals; computer software and services; construction, architecture and engineering services; consumer electronics; consumer packaged goods; distribution; education; financial and accounting services; general business and repair services; governmentpublic administration; governmentdefense and intelligence; health, medical and dental services; insurance; law enforcement; legal services; management, scientific and consulting services; manufacturing; medical devices; metals and metal products; mining, oil and gas; publishing, media and entertainment; real estate, rental and leasing services; retail trade; transportation and warehousing; travel, accommodation and hospitality services; utilities; and wholesale trade. Manufacturing, along with health, medical and dental services each account for 12 percent of participating organizations. All other industries represent less than ten percent of participating organizations. Number of operating locations Forty eight percent of participating organizations operate from five or fewer locations. Thirty-five percent operate from between six and 49 locations. The remaining 17 percent operate from 50 or more locations. Number of employees Thirty-six percent of participating organizations employ fewer than 250 persons. Thirty-six percent employ between 250 and 2,499 persons. The remaining 28 percent employ 2,500 or more. Participants Twenty-six percent of participants in this Benchmark are senior managers (CEO, CFO, CIO, etc), 11 percent Vice Presidents, 36 percent managers or directors, 23 percent staff, and four percent internal consultants. Thirty-three percent of the participants work in finance and internal controls, another 28 percent work in IT, 10 percent are employed in customer service, and the remaining 29 percent are distributed across a wide range of job functions, including legal, compliance, sales, marketing, design, development, manufacturing, procurement, and logistics.
27
28
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 +1 (408) 517 8000 www.symantec.com info@symantec.com
The Institute of Internal Auditors 247 Maitland Ave. Altamonte Springs, FL, 3270-4201, USA +1 (407) 937 1100 iia@theiia.org www.theiia.org
Computer Security Institute 600 Harrison St. San Francisco, CA 94107 +1 (415) 947 6320 csi@cmp.com www.gocsi.com
Protiviti 1290 Avenue of the Americas, 5th Floor New York, NY 10104 +1 (212) 603 8300 info@protiviti.com www.protiviti.com
29
Founded in 2005, the IT Policy Compliance Group conducts benchmarks that are focused on the interrelationships between compliance and IT with the aim of delivering fact-based guidance to organizations on the steps that can be taken that will improve compliance results. Benchmark results are reported through www.itpolicycompliance.com for the benefit of members.
IT Policy Compliance Group Managing Director, Jim Hurley Telephone: +1 (216) 321 7864 jhurley@itpolicycompliance.com Managing Editor, John Ortbal Telephone: +1 (847) 444 0344 jortbal@itpolicycompliance.com www.itpolicycompliance.com February 2007
The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but are not guaranteed. Research publications reflect current conditions that are subject to change without notice. Copyright 2007 IT Policy Compliance Group. All rights reserved. 02/07 10705114