How Compliance Controls Can Minimize Data Loss

By Tom Schmidt

It's news that has been turning quite a few corporate heads lately.

According to a report released in July by the IT Policy Compliance Group, nine in 10 firms are exposed to financial risk from data loss and theft. These risks, which can cost organizations customers, reduced revenues and even a decline in share price, could be significantly reduced by implementing core procedural and technical controls and monitoring those controls at least once every two weeks.

"Among larger enterprises," the report concluded, "the probability of a publicly disclosed data loss is likely once every three years if the firm is currently operating as a laggard. In contrast, organizations with the best results have delayed the probability of data loss to once in every 42 years. The benchmarks show that the organizations excelling at compliance are the same firms with the least data losses and the least business disruptions from IT downtime."

Turning to the costs of data breaches, the IT Policy Compliance Group found that organizations experiencing a publicly reported data loss expect to see an 8% decline in customers and revenue, an 8% decline in the price per share for publicly traded firms and additional expenses averaging $100 per lost customer record for firms experiencing publicly disclosed data losses and thefts.

This article initially looks at some of the implications of compliance spending. It then considers a number of compliance, risk and governance practices that, if implemented correctly by financial institutions, can significantly reduce the frequency and impact of data loss.

The return on spending
In its report, the IT Policy Compliance Group found that, based on financial losses sustained after a publicly exposed data loss (including lost customers and revenues, stock price declines and additional costs and total cumulative spending on compliance and data protection activities), the returns on compliance and data protection spending are positive for almost all organizations.

"Perhaps most important," the report continued, "the amount spent on improving compliance and data protection is a very small percentage of the financial value that is at risk. With returns on compliance spending for larger enterprises starting at 1,000% and climbing to 100,000%, it is obvious that compliance is good for business. Not only is good governance the right thing to do, but better compliance pays for itself through the avoidance of predictable financial risk."

The report also found that most large enterprises are auditing and monitoring IT compliance once every 140 days, "whereas the industry leaders are conducting these measurements once every 21 days."

High-profile breaches in the news
The IT Policy Compliance Group's report is particularly timely, coming as it does at a time of several high-profile financial services breaches. For example:

• TTD Ameritrade announced in September that a compromised computer at the company had leaked the email addresses of potentially all of its 6.3 million customers. A New York law firm has filed a class-action lawsuit against the brokerage, charging that the company knew that email addresses were leaking to spammers and failed to inform customers.
• Electronic payment processor Fidelity National Information Services Inc. fired an employee in its Certegy Check Services Inc. unit for allegedly stealing, then selling to marketers, bank and credit card data from as many as 2.3 million customers.
• MoneyGram International reported that approximately 79,000 people had their personal information -- such as names, addresses, phone numbers and, in a few cases, bank account information -- stolen. The data was illegally accessed over the Internet.

Implementing best practices
As many experts have observed, unfortunately, there is no silver bullet when it comes to data loss prevention. But that doesn't mean there is no solution. There is, but it requires much more than technology. It is really an issue that requires the combination of people, process and technology.

Research by the IT Policy Compliance Group shows that successful firms -- i.e., those with the fewest data losses and thefts -- are driving operational excellence in IT by improving compliance, especially in IT general controls and IT security controls and procedures. More notably, perhaps, recent research shows the least data loss among firms that are monitoring and measuring controls against objectives consistently at least once every two weeks.

Based on what is working among organizations with the fewest data losses, the IT Policy Compliance Group report identified practices that will assist businesses with improving IT compliance results, reduce business downtime and reduce data loss and theft. These include:

• Implementing more and appropriate IT controls
• Reducing control objectives, making it easier to communicate, measure and report against
• Establishing higher standards for performance objectives
• Encouraging a culture of operational excellence in IT
• Conducting monitoring, measurement and reporting of controls against objectives at least once every two weeks
• Allocating more "spend" to the automating of controls

Conclusion
An effective IT governance process, along with concise IT control objectives and the right mix of built-in IT controls, allows financial institutions to set policies and measure against those policies in a consistent manner. By creating a measurable and repeatable IT compliance program, these organizations are better able to adequately protect against data loss and ensure a high level of compliance. As the IT Policy Compliance Group's latest report demonstrates, appropriate additional controls are not only warranted, they are essential to prevent theft and loss.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.