RSA, the Security Division of EMC, has announced the results of an independently commissioned global survey conducted by Forrester Consulting on behalf of RSA and Microsoft, entitled: “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk”.
The survey of 305 IT security decision-makers worldwide revealed that enterprises are investing heavily in compliance and protection against accidental leaks of custodial data (such as customer information), but under-investing in protection against theft of far more valuable corporate secrets.
According to Forrester Consulting's study: “Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programmes. Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programmes. But secrets comprise 62% of the overall information portfolio's total value, while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.”
“Companies are spending money to protect customer, medical and payment card information, as they should, but more emphasis needs to be placed on protecting the intellectual property and data that has intrinsic value to an organisation,” said Rob Watson, Country Manager of RSA South Africa. “If IP is lost, it can cause long-term competitive harm to an organisation. The recent and highly-sophisticated attacks targeting intellectual property of large multinational companies are examples of this type of loss.”
The survey found that while organisations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly. For example, based on responses received in the survey, employee theft of sensitive information is 10 times costlier than accidental loss on a per-incident basis: hundreds of thousands of dollars versus tens of thousands.
“Insider risk is a real and growing threat and the modern enterprise environment of collaboration with a variety of outside parties creates more opportunities for leakage and theft,” said John Chirapurath, senior director of the Identity and Security Business Group at Microsoft. “This data illustrates that the more a company has to lose in terms of information value, the more criminal activity it will face.”
Despite a wide range in security spending, views on the value of information and the number of security incidents reported among the respondents, nearly every company surveyed rated its security controls to be equally effective.
“Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting,” according to Forrester Consulting. “Compliance in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure.”
Together, Forrester, Microsoft and RSA are providing a set of recommendations within the study to help enterprises ensure that their information security strategies are appropriately balanced, including:
* Identify the most valuable information assets in the company's portfolio
* Create a “risk register” of data security risks that document specific threat scenarios
* Assess and reprioritise the IT security program's balance between compliance and protecting secrets
* Increase vigilance of external and third party business relationships
* Measure data security program effectiveness
Share
EMC
EMC Corporation (NYSE: EMC) is the world's leading developer and provider of information infrastructure technology and solutions that enable organisations of all sizes to transform the way they compete and create value from their information. Information about EMC's products and services can be found at www.EMC.com.
EMC is a registered trademark of EMC Corporation. All other trademarks used are the property of their respective owners.
RSA
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organisations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its life cycle - no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance and access control, data loss prevention, encryption and key management, compliance and security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.
Editorial contacts