Enterprises are investing heavily in compliance and protection against accidental leaks of custodial data (such as customer information), but under-investing in protection against theft of far more valuable corporate secrets, according to a global survey by Forrester Consulting.
Nearly 90% of surveyed enterprises agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies is the primary driver of their data security programs.
Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs. But secrets comprise 62% of the overall information portfolio’s total value while compliance-related custodial data comprises just 38%, a much smaller proportion. This strongly suggests that investments are over weighed toward compliance.
The survey found that while organizations focus on data security incidents related to accidental loss, information theft by employees or trusted outsiders is more costly. For example, based on responses received in the survey, employee theft of sensitive information is 10 times costlier than accidental loss on a per-incident basis: hundreds of thousands of dollars versus tens of thousands.
“Insider risk is a real and growing threat and the modern enterprise environment of collaboration with a variety of outside parties creates more opportunities for leakage and theft,” said John Chirapurath, senior director of the Identity and Security Business Group at Microsoft. “This data illustrates that the more a company has to lose in terms of information value, the more criminal activity it will face.”
Despite a wide range in security spending, views on the value of information and the number of security incidents reported among the respondents, nearly every company surveyed rated its security controls to be equally effective.