European CIOs Estimate Failure to Protect Customer Data Can Cost €2.7 million

Use of consumer devices in the workplace, geographically dispersed teams, and the prevalence of social networks all are having a dramatic impact on the way people share corporate information, which is raising serious concerns around data security.

Quest Software, Inc., part of Dell, Inc., recently commissioned Vanson Bourne to survey CIOs in the UK, France and Germany, and found that current information security policies are failing to protect business-critical information, as identity and access management processes have not been updated to meet changing employee needs, which is leaving businesses exposed to risk.

In addition, the research found that 65% of European CIOs believe that employees share corporate data in the fastest and easiest way, regularly bypassing IT policy, and feeling little accountability for protecting critical company information.

69% also agree that organisations and employees should take greater responsibility for how corporate data is shared, stored and managed. Due to the significant security, financial and reputational risks of losing information, identity and access management is a priority for over three quarters of European organisations in 2013 (76%).

Quest offers best practice advice
to address the following security issues:

Increased security breaches
European CIOs say that personnel (42%), customer (33%) and HR information (31%) are some of the most shared data on social networks and third party websites. In the past 12 – 18 months, HR (30%), customer (25%), and financial information (23%) has been exposed outside of the business, due to ineffective identity and access management. For organisations that have experienced these data breaches, 33% agreed that the company had lost customer trust, and 32% believed that it damaged corporate reputation.

Decreased productivity
98% of CIOs also agreed that poor identity and access management makes employees use third party sites as ‘work-arounds’ when storing and sharing information, which can inhibit collaboration and productivity. 31% of CIOs said that over the past 12-18 months, employees have been stuck for prolonged periods of time without access to information they need to do their job.

Securing systems
62% of CIOs have faced increasing pressure over the past 12 months to protect company data due to the increasing news stories around how organisations are losing corporate data. Organisations are experiencing the most pressure from internal legal teams (41%), CEOs (40%), and regulators (33%).

Best practice
Solutions such as Quest One Identity Solutions offer a set of capabilities, providing controls in a flexible, modular architecture suited to address a range of security concerns, and avoid the risks posed by poor identity and access management practices.

CIOs can get more peace of mind
by following these best practice guidelines:

• Focus on Education – For the majority of today’s information security threats, prevention and mitigation lie in education, diligence, and processes – supported by technology where appropriate – that enforce strong passwords (which are changed regularly).
• Adopt a ‘least privilege’ security posture – Give each employee the least privilege necessary to accomplish required tasks and ensure that unnecessary access rights are revoked whenever an employee changes roles.
• Embrace an access review policy – Provide regular, automated access alerts that notify two or more administrators of access changes, employee changes or other critical issues.
• Achieve compliance – Implement access control and separation of duties practices and technologies, and develop, implement and enforce secure policy on all system access.

Phil Allen, Information Security expert (EMEA), Quest Software, said: "We are seeing many organisations grapple with the consequences of ineffective information and access governance policies, including increased security breaches, decreased productivity and rising costs. European CIOs estimate that failure to protect customer data can cost €2.7 million in revenue loss and fines; however, the impact on corporate reputation is more damaging. Security systems have not been implemented with tech-savvy employees in mind. People therefore resort to the easiest way of sharing corporate data, and many do so without thinking about the consequences. This begs the question: Will employees eventually be contractually held accountable for corporate data breaches?

"As the guardians of information, CIOs need to rethink how they deliver IT services and tools to employees, in order to offer a better service which meets both the end-user and business requirements, whilst not introducing unnecessary risk. IT leaders also need to better educate employees about the risks of sharing corporate data on vulnerable channel."

Martin Kuppinger, founder and principal analyst, KuppingerCole, said: "Identity and access governance is going to be one of the fastest-growing areas over the next few years, as CIOs look to ensure they are compliant and not opening the organisation up to unnecessary security risk. Regulators and industry bodies are clamping down hard on organisations that don’t take full measures to protect corporate data and the result can be extremely damaging, regardless of how large or small the incident."

About the research:
Quest Softwar commissioned research agency Vanson Bourne to survey 175 CIOs and IT decision-makers in the UK, France and Germany, (525 in total) during September 2012. The survey targeted IT decision-makers at organisations with over 500 employees.