In a new report entitled 'Why Compliance Pays: Reputations and Revenues at Risk', which is downloadable, the IT Policy Compliance Group has tried to hang some numbers on the costs of data breaches.
Compliance regulations are a big pain in the neck, but putting policies and practices in place that control who has access to what information and under what conditions is not just a requirement of many laws, it is also a good idea in an increasingly networked and computerised world. But often, companies look at compliance measures as a cost, much as they did when they considered mainframes and minicomputers decades ago. The IT Policy Compliance Group wants companies to think of compliance efforts as a means of preserving corporate reputations and revenues.
The new report shows that, based on Attrition's Data Loss Database, in the past two years, 280 companies based in the US have had publicly exposed incidents of data theft or loss. And the group reckons that the numbers will only increase because breaches will be exposed as consumers and government regulators are watching more closely. Based on benchmark metrics derived by the group, companies that are outed for losing customer data or being breached in some way by hackers expect to see an 8% decline in revenue, and 8% hit on their stock price, and expenses in the range of $100 per lost customer record. Those are pretty big numbers, obviously, even if they are very broad averages.
The study also said that if a company is a compliance laggard, it can expect some sort of data loss that is publicly disclosed every three years, while those who are on top of their compliance game have cut the probability of a data loss down to once every 42 years. The group's benchmarks also show that those who are the best at compliance are the same companies that have the fewest data losses and the lowest number of disruptions in IT system downtime.