RSA, The Security Division of EMC and Microsoft (MSFT) today announced the results of a commissioned global survey conducted by Forrester Consulting on behalf of RSA and Microsoft, entitled “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk.”
The survey of 305 IT security decision-makers worldwide revealed that enterprises are investing heavily in compliance and protection against accidental leaks of custodial data (such as customer information), but under-investing in protection against theft of far more valuable trade secrets.
Security spending mis-aligned with information value
“Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs. “Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs,” according to Forrester Consulting’s study. “But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are overweighed toward compliance.”
“Companies are spending money to protect customer, medical and payment card information, as they should, but more emphasis needs to be placed on protecting the intellectual property and data that has intrinsic value to an organization,” said Sam Curry, CTO, Marketing, RSA, The Security Division of EMC. “If IP is lost, it can cause long term competitive harm to an organization. The recent and highly-sophisticated attacks targeting intellectual property of large multinational companies are examples of this type of loss.”
Information theft is more costly than accidental loss
The survey revealed that while organizations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly. For example, based on responses received in the survey, employee theft of sensitive information is ten times costlier than accidental loss on a per-incident basis: hundreds of thousands of dollars versus tens of thousands.
“Insider risk is a real and growing threat and the modern enterprise environment of collaboration with a variety of outside parties creates more opportunities for leakage and theft,” said John Chirapurath, senior director of the Identity and Security Business Group at Microsoft. “This data illustrates that the more a company has to lose in terms of information value, the more criminal activity it will face.”
A need for real assessment and measurement of information security
Despite a wide range in security spending, views on the value of information and number of incidents, nearly every company rated its security controls to be equally effective.
“Most enterprises do not actually know whether their data security programs work or not, other than by raw incident counting,” according to Forrester Consulting. “‘Compliance’ in all its forms has helped CISOs buy more gear. But it has distracted IT security from its traditional focus: keeping company secrets secure.”