Some businesses count the cost of data leakage in terms of increased scrutiny by stakeholders, and emergency investment in new security technology and processes, after the event:
“Major publicity, increasing data security costs and staff training.”
“High scrutiny of our company by client, as a result we have had to spend millions on changing processes.”
These comments, made by anonymous IT decision-makers from UK businesses with more than 500 employees, reveal a lack of investment in adequate data leakage prevention (DLP) until after a damaging leak occurs.
Chris Jenkins, Security Line of Business Manager at Dimension Data UK, says: “With the ICO’s increased powers as of April last year, combined with the scale and immediacy of the web and social media, businesses that leak customer data, for instance, are more likely than ever to suffer from a tarnished reputation through public exposure. Despite this, however, some organisations take a reactive approach, assuming, or hoping, it will never happen to them. The reality is that delay will exacerbate the consequences of a data leak. For example, emergency improvements to a business’s security posture after an incident are far more costly and disruptive than planned enhancements.”
The research also shows that, overall, one in ten large UK businesses has experienced a data leakage incident. And, tellingly, over half of respondents (51%) think that their business has suffered a leak that they are unaware of. Despite this, 31% of organisations haven’t even assessed the business risks associated with data security – the first step in building a business case for investment in DLP.
Respondents say that the top three barriers to adoption of DLP are as follows: other IT spending priorities take precedence, lack of board level will to invest, and uncertainty about whether it’s necessary for the organisation. According to Jenkins, this explains the reactive approach of some businesses, and suggests that the main challenge for IT decision-makers is building a business case for DLP and getting it on the boardroom agenda.
“Traditionally,” he said, “risks from data leakage have been hard to quantify, and a business case for investment in security measures has consequently been difficult to build, even though the will may be present in the IT department. Now, however, there are many public examples of the damaging effects of data leakage incidents that businesses can draw on to help build the case for investment in DLP. Our study, and others like it, can be added to the mix. All of this can be used in conjunction with a risk assessment, which will provide an overview of a business’s security posture, the criticality or sensitivity of its data, and the possible consequences of a data leak.”
Jenkins concludes, saying: “DLP is not a one-size fits all solution. Businesses need to gain a comprehensive view of their security posture, and weigh this against their appetite to risk, before deciding what DLP is necessary to lower risk to an acceptable level. At the least, even if they don’t go on to make any new investments, this proactive approach will help them prepare for the consequences of a damaging data leak. At best, it will greatly reduce their risk of having a data leak and, if one does occur, the fallout from it and the resulting costs.”