U.S. corporations lost $59 billion in proprietary information and intellectual property during the past year, according to a report released by the American Society for Industrial Security (ASIS), PricewaterhouseCoopers and the U.S. Chamber of Commerce.
But what the report’s authors and other security experts find most alarming (though not surprising) is the fact only a little more than 13 percent
of Fortune 1,000 companies even responded to the survey conducted earlier
this year. Of those 139 who did respond, only 40 percent of them reported
an incidence of known or suspected information theft.
The actual dollar amount is probably much, much higher than the $59 billion
reported, experts said, though for various reasons, it’s hard to put a quantifiable
number on theft of private property.
“I’d say without any hesitancy this is a conservative number,” said Vicki
Contavespi, a spokesperson at ASIS. “Even conservatively, that’s a huge
chunk of change.”
The report, Trends in Proprietary Information Loss Survey, the 10th
such report, found a “troubling managerial attitude” in the companies that
did respond to the survey — 138 Fortune 1,000 companies and 600
small-to-medium sized companies. Only 55 percent of the respondents found
their managers were concerned about information loss and taking steps to
safeguard their critical information.
Todd Tucker, director of security architecture and strategy at PentaSafe, a
security management firm, said he isn’t surprised by the low turnout for
the survey and that it is comparable to the results found in many surveys
conducted by security organizations.
He said many of these companies that decline to respond are still trying to
figure out what kind of security breaches they have before attempting to
correct the problem.
“I don’t think companies are intentionally ducking their heads. What I
think is happening is they are going through the process of learning the
risks that are inherent to their own companies and they’re figuring out how
to deal with those problems,” Tucker said. “What surveys like these do is
help security officers and risk management personnel justify resources
spent on efforts like security awareness and increasing information security.”
The most common types of information stolen, the survey found, are research and development (49 percent), private customer lists and personal
information (36 percent) and financial data (27 percent).
Exacerbating the problem is the fact most companies are reluctant to
disclose the extent of their breaches, for fear of embarrassment or loss of
customers in the event the findings were published.
That reluctance, Contavespi said, is keeping U.S. security experts from
determining the extent of the problem and finding a way to come up with a
solution for corporate security woes.
“They have to get over their reluctance to share information about losses
so we can figure out the full extent and nature of the problem,” she
said. “They need to centralize their loss reporting system, they have to
make information protection a higher priority and they have to set up a
system for valuing intellectual property.”
Tucker, who is also a member of the Human Firewall Council, said a report
published several weeks ago by the organization, Security
Management Practices, shows the common security practices at many
companies throughout the U.S. The benchmarks found there, as well as a few
simple security awareness issues can prevent some of the most flagrant
breaches.
“I believe that where companies should start is with educating their own
people as to the risks related to information technology and the value of
their information and educating them on how to better protect that
information,” he said. “In our survey, we found that only 1/3 of the
companies had a classification scheme. That’s tremendously important to
curtailing losses such as this.”
The ASIS report shows that, indeed, the losses can quickly add up on
research and development thefts, which amounted to $404,000 per
incident. Individual financial data thefts cost companies an average $356,000.
