SAN FRANCISCO – Companies who invest wisely to protect against data loss and theft will experience far greater savings in the long term, according to the latest report from the IT Policy Compliance Group.

The report, entitled “Managing Spend on Information Security and Audit to Improve Results,” polled more than 2,600 firms and found that 68 per cent of them were under-spending on information security relative to the financial risks and losses they were experiencing.

At the same time, the study showed that by incrementally increasing funding of best practices, companies can enjoy financial returns of as much as 200 per cent.

“Like an insurance deductible, all organizations are willing to sustain some level of financial risk and loss from theft of customer data or some level of business downtime from IT disruptions,” said Jim Hurley, managing director of IT PCG and principal research manager at Symantec. “However, the research findings show that an organization’s loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high.”

The firms polled ranked three IT-related business risks well ahead of other possible risks: Confidentiality of sensitive information; Integrity of information, assets and controls in IT; and Availability of IT services.

According to the study, only 13 per cent of firms are achieving “best outcomes” — fewer than three losses or thefts of sensitive information each year, less than seven hours of business downtime, and fewer than three audit-failing deficiencies.

The majority of firms (68 per cent) were operating at “normal” levels, experiencing between three and 15 losses or data thefts per year, between seven and 79 hours of business downtime from IT failures, and between three and 15 audit-failing deficiencies.

Nineteen per cent of firms are experiencing “worst outcomes” of more than 15 losses or data thefts per year, 80 or more hours of business downtime from IT failures, and more than 15 audit-failing deficiencies.

The report found that the difference in outcome between the worst performers and the best performers was not a result of the size of security budgets, but rather how those budgets were used.

“This report is a clear demonstration of the benefits that organizations can achieve from effective management of security, availability and other IT-related business risks,” said Brian Barnier, member of the IT Governance Institute’s Risk IT Task Force. “Good practices such as the freely downloadable COBIT framework can help organizations take specific actions to mitigate risk and maximize value.”

According to the report, companies with the best outcomes and least financial losses are leveraging the following five practices:

Leveraging a senior management team to manage risk

Prioritizing risks, improving controls, and automating procedures

Continuously assessing controls and risks

Leveraging technical controls, policies, and IT change management

Comprehensive reporting

“As the IT Policy Compliance Group’s research demonstrates, companies that make improvements in managing their IT security risk will realize numerous benefits, including lower financial exposure and losses as well as savings on regulatory audit fees and expenses,” said Rocco Grillo, a managing director in Protiviti’s Information Security & Data Privacy practice.

“The group’s findings quantify what has been assumed to be a best practice: organizations with a top-down approach and a clear owner who has line of authority and visibility to the business lines maintain the most cost-effective and comprehensive information security programs,” Grillo added.

Firms who leveraged these best practices were found to experience the least expensive and most infrequent financial losses. Firms operating at the worst levels literally paid the price, with data loss and theft equalling 9.6 per cent of annual revenue, and business downtime costs equalling nearly three per cent of annual revenue.

Among organizations with $5 billion in revenue, the combined costs from data loss or theft and business downtime ranged from $329 million for firms with the worst practices to $2.25 million for firms who had implemented the best practices – 149 times less.

“Firms can either wait until an emergency pushes them to reprioritize, or they can decide that it is in their best interests to institute these industry proven practices,” said Hurley.

The research found that firms with the best outcomes were spending between 35 and 52 per cent less on audit fees and expenses. For these firms, adjusting the amount of money spent on practices that reduce risk, loss and audit spending can produce financial returns ranging from 1,000 to 500,000 per cent more than the loss which the organizations are willing to sustain.

This column was written by Erin Bell of ConnectIT, an IntegratedMarCompany

a>>