Report: 90 percent of companies fail compliance

An overwhelming percentage of businesses still fall far short in their efforts to comply with industry data-handling regulations and reduce their likelihood of experiencing a serious leakage incident, according to a new survey.

In a report to be published by the IT Policy Compliance Group on July 18, the consortium of IT compliance and security experts concludes that some 90 percent of all businesses still do not have sufficient policies in place to meet data governance regulations and adequately limit the risk of a breach.

In the survey of 475 companies, a third of whom reported revenues of more than $1 billion last year, the industry group found that an overwhelming majority of the firms expect to deal with at least six business disruptions related to major data incidents per year along with five or more instances of information loss or theft.

While businesses continue to invest policy enforcement software, and other technologies aimed at helping them meet data-handling regulations, said James Hurley, managing director of IT Policy Compliance Group, most are still struggling to fill all the gaps left in their systems that leave them open to potential incidents.

Hurley is also a senior research manager at security software maker Symantec, a member of the compliance policy think tank, along with such organizations as the Computer Security Institute, Institute of Internal Auditors, ISACA, and IT Governance Institute.

Along with well-known federal guidelines, such as the Sarbanes-Oxley Act, many companies are having trouble responding to new statewide data protection measures crafted after the California 1386 bill, which requires businesses to make public notice of severe data incidents, he said.

"When it comes to protecting data, a lot of organizations still find information all over the place that they may not even have control over," Hurley said. "People are finally discovering this is a difficult problem and that the controls they thought they have in place may not be adequate; that they need to rethink those controls and find out where the data inventory actually is because in most organizations, it's not under control."

In addition to gauging what percentage of companies remain at risk for a data breach, the survey also attempted to measure the impact of such an event on the average company. Based on its respondents' replies, businesses that are forced to report major incidents publicly can expect to experience an 8 percent loss of their stock price and an equal 8 percent of their customers.

Companies can also expect to report an 8 percent falloff in their quarterly revenue along with additional costs for litigation, customer notification, and subsequent settlements averaging $100 per each record they lose.

In a nod to the increased challenge of meeting regulations and lowering data leakage within enterprises, the report concludes that larger companies are more likely to have incidents, based on its research. Organizations with less than 1,000 workers average roughly 8 percent in revenue and customer losses per event, whereas companies with more than 100,000 employees can expect to lose 12 percent of their sales and clientele.