It’s news that has been turning quite a few corporate heads lately.

According to a report released in July by the IT Policy Compliance Group, nine in 10 firms are exposed to financial risk from data loss and theft. These risks, which can cost organisations customers, reduced revenues, and even a decline in share price, could be significantly reduced by implementing core procedural and technical controls and monitoring those controls at least once every two weeks.

"Among larger enterprises,” the report concluded, “the probability of a publicly disclosed data loss is likely once every three years if the firm is currently operating as a laggard. In contrast, organisations with the best results have delayed the probability of data loss to once in every 42 years. The benchmarks show that the organisations excelling at compliance are the same firms with the least data losses and the least business disruptions from IT downtime.”

Turning to the costs of data breaches, the IT Policy Compliance Group found that organisations experiencing a publicly reported data loss expect to see an 8% decline in customers and revenue, an 8% decline in the price per share for publicly traded firms, and additional expenses averaging $100 per lost customer record for firms experiencing publicly disclosed data losses and thefts.

This article looks initially at some of the implications of compliance spending. It then considers a number of compliance, risk, and governance practices that, if implemented correctly by financial institutions, can significantly reduce the frequency and impact of data loss.

The Return On Spending

In its report, the IT Policy Compliance Group found that, based on financial losses sustained after a publicly exposed data loss (including lost customers and revenues, stock price declines, and additional costs and total cumulative spending on compliance and data protection activities), the returns on compliance and data protection spending are positive for almost all organisations.

“Perhaps most important,” the report continued, “the amount spent on improving compliance and data protection is a very small percentage of the financial value that is at risk. With returns on compliance spending for larger enterprises starting at 1,000% and climbing to 100,000%, it is obvious that compliance is good for business.”

The report also found that most large enterprises are auditing and monitoring IT compliance once every 140 days, “whereas the industry leaders are conducting these measurements once every 21 days.”

High-profile breaches in the news

The IT Policy Compliance Group’s report is particularly timely, coming as it does at a time of several high-profile financial services breaches. For example:

• TTD Ameritrade announced in September that a compromised computer at the company had leaked the email addresses of potentially all of its 6.3 million customers. A New York law firm has filed a class-action lawsuit against the brokerage, charging that the company knew that email addresses were leaking to spammers and failed to inform customers.
• Electronic payment processor Fidelity National Information Services Inc. fired an employee in its Certegy Check Services Inc. unit for allegedly stealing, then selling to marketers, bank and credit card data from as many as 2.3 million customers.
• MoneyGram International reported that approximately 79,000 people had their personal information -- such as names, addresses, phone numbers, and, in a few cases, bank account information -- stolen. The data was illegally accessed over the Internet.

Implementing Best Practices

As many experts have observed, unfortunately there is no silver bullet when it comes to data loss prevention. But that doesn’t mean there is no solution. There is, but it requires much more than technology. It is really an issue that requires the combination of people, process, and technology.

Research by the IT Policy Compliance Group and Symantec shows that successful firms – i.e., those with the fewest data losses and thefts -- are driving operational excellence in IT by improving compliance results, especially in IT general controls and IT security controls and procedures. More notably, perhaps, recent research shows the least data loss among firms that are monitoring and measuring controls against objectives consistently at least once every two weeks.

Based on what is working among organisations with the fewest data losses, the IT Policy Compliance Group report identified practices that will assist businesses with improving IT compliance results, reduce business downtime, and reduce data loss and theft. These include implementing more and appropriate IT controls; reducing control objectives, making it easier to communicate, measure, and report against; establishing higher standards for performance objectives; encouraging a culture of operational excellence in IT; conducting monitoring, measurement, and reporting of controls against objectives at least once every two weeks; and allocating more “spend” to the automating of controls.

Symantec Information Foundation Prevents Data Loss

Last year, Symantec announced Information Foundation 2007, which is intended to help IT professionals prevent the risk of data loss and policy violations. Symantec Information Foundation offers consistent content controls with automatic classification and policy enforcement for effective risk management; integrated incident management and remediation for ensuring risk management compliance; and centralised archiving, audit, and discovery.

Conclusion

An effective IT governance process, along with concise IT control objectives and the right mix of built-in IT controls, allows financial institutions to set policies and measure against those policies in a consistent manner. By creating a measurable and repeatable IT compliance programme, these organisations are better able to adequately protect against data loss and ensure a high level of compliance. As the IT Policy Compliance Group’s latest report demonstrates, appropriate additional controls are not only warranted, they are essential to prevent theft and loss.

The author is managing director, Symantec India & SAARC