TDR

Study finds businesses spending too much on compliance

April 6, 2010
Enterprises are not investing enough of their resources in protecting against the theft of valuable intellectual property, instead concentrating too much on compliance efforts, a new report from Forrester Consulting concludes.

The survey, commissioned by RSA and Microsoft and released Monday, found that information security investments are “overweighed” toward compliance endeavors, which aim to safeguard customer, medical and payment card information. Meanwhile, for many organizations, investments to protect corporate secrets are insufficient, said the survey, which polled 305 IT security decision-makers worldwide

“The investment profile mismatches the information value,” JG Chirapurath, senior director of the Identity and Security Business Group for Microsoft, told SCMagazineUS.com on Tuesday. “My thesis is that it is an investment cycle and this misalignment will realign and balance."

The survey, “The Value of Corporate Secrets,” found that enterprises devote 40 percent of their information security budgets to compliance efforts, and the same percentage to secure sensitive intellectual property.

But for most enterprises, corporate secrets – which can generate revenue, increase profits, and maintain competitive advantage – are much more valuable than customer information, the survey states. Customer secrets comprise 62 percent of an overall information portfolio's total value, while compliance-regulated customer data comprises 38 percent.

For the last several years, organizations have been under pressure to become compliant with data security regulations, Chirapurath said. These regulations are important because they aim to thwart data breaches of customer information, which can result in vast legal and brand issues. However, attackers today also aim to steal trade secrets, which for an organization can result in significant losses in future revenue.

“Companies are spending money to protect customer, medical and payment card information, as they should, but more emphasis needs to be placed on protecting the intellectual property and data that has intrinsic value to an organization," Sam Curry, CTO of marketing at RSA, said in a statement. "If [intellectual property] is lost, it can cause long-term competitive harm to an organization.”

The survey also found that enterprise security investments are overly-biased toward preventing employee mistakes, as opposed to securing critical data.

Employee-related accidents, such as lost phones or laptops, cost organizations much less money in damages than incidents of malicious theft by insiders and third parties, the study found. However, security “best practices” such as full-disk encryption and data leak prevention policies, are most often designed to reduce the impact of employee accidents and the frequency of data breaches involving customer information. They are less often used to prevent theft, the survey found.

Enterprises should instead, focus more of their resources on preventing insider theft and abuse by outsiders, the survey states.

To ensure investments are in line with risks, information security leaders must first identify and classify the organization's most valuable information assets, the report recommended. Next, a “risk register” should be created, documenting the risks and threat vectors facing each class of information. Finally, organizations should use this knowledge to prioritize future information security investments.

prestitial ad