My official title may be "analyst," but market research is the part of my job that appeals to the geek in me. Good thing I work at ESG, where we do market research around information assurance all the time.
Given an IT security landscape highlighted by regulatory compliance, publicly-disclosed data breaches, and increasingly sophisticated threats, we often ask survey respondents whether their organization suffered a data breach in the last 12 months. ESG has probably asked this very question in several research projects over the past few years. In the past, about 30 percent of large organizations (i.e. 1,000 employees or more) claimed that their organization had suffered a data breach within the last year.
This pattern was fairly consistent from 2005 through 2007, so I expected to see similar results when we conducted another research survey focused on application and database security at the end of 2008. I was shocked to see that things have actually grown much worse. In a November 2008 survey of 179 North American-based security professionals, 56 percent claimed that their organization had suffered a data breach within the past 12 months. In further analysis, 61 percent of organizations with 1,000 to 5,000 employees suffered a data breach in that time frame. It's easy to assume that these smaller firms are more at risk since they are likely to have fewer security technologies in place and smaller security staffs. Perhaps this is true, but even bigger companies are suffering data breaches--49 percent of organizations with 5,000 employees or more endured at least one data breach of their own.
Armed with data from several years of surveys, I think it is safe to assume that things are getting worse, not better. Sensitive data continues to flow throughout the enterprise, ending up in e-mails and IMs, laptops, and thumb drives, and into the hands of malicious or careless employees--an uphill battle indeed.
We all realize that the economy stinks and CIOs absolutely must cut IT spending. That said, the ESG data suggests that they take a prudent approach to security spending cuts. Remember that one publicly-disclosed breach can cost a lot more than a security staffer, technology safeguard, or additional training. Just ask, , , or the 56 percent of large organizations represented in the ESG Research data.