While some researchers have tried previously to divine the overall expense of having a major data breach, such as the one reported by retailer TJX Companies in early 2007, it has been hard to guess just how much such an event truly costs said Mike Money, associate director at Protiviti, an auditing services specialist that is also participating in the consortium.
"We finally have some data on this because of the state laws that have gone into effect, so hopefully some companies see this report and understand the extent of the problem," Money said. "People are finally starting to focus on the issue because they see the newspaper headlines every day, and until you've been through one of these types of events, it's hard to understand all the implications."
Unsurprisingly, the report also finds that companies that allocate the highest budgets for compliance automation technologies are faring better in their efforts than those who spend less on the issue.
In a shift from previous studies completed by IT Policy Compliance Group, however, it appears that most organizations are realizing they need to adjust their budgets to account for the tools, Hurley said.
"The difference is that these state regulations have put this on the front of the radar screen, and they are realizing that they need to spend money to solve security problems that benefit compliance goals," said Hurley. "There's a clear linkage between having better controls and experiencing fewer data losses and business disruptions, as obvious as that may seem."