Sensitive corporate data moving across national borders is increasingly exposed to industrial espionage and organized crime, according to a survey of senior IT personnel around the world.
To get security news and tips delivered to your inbox,
As companies extend their trust to corporate partners, service providers, suppliers and offices abroad, they are allowing millions of dollars of sensitive customer information and intellectual property to move with the business.
And they are losing it.
In the Unsecured Economies Report commissioned by McAfee Inc., 800 senior IT directors said their companies say they keep an average of $12 million worth of sensitive information abroad. Those companies also reported a loss of an average $4.6 million worth of intellectual property in 2008.
"Based on the survey findings, McAfee conservatively estimates that the global damage from data loss to top one trillion dollars," McAfee CEO Dave DeWalt said when announcing the survey findings today.
Protecting customer data, corporate intellectual property and other sensitive internal data, remains a priority in many corporate board rooms, a Forrester Research survey finds.
Data breaches, compliance drive intellectual property protection: Recent high profile data breaches and compliance pressures are forcing companies to spend more on technology to protect
It's a startling high cost of doing business in a global economy. But companies are forging ahead. The survey found driven, in order, by cost reduction, supply chain partner efficiency, expertise and, ironically, in many cases, safety.
The respondents said they were generally more concerned about the impact on their companies reputation if sensitive information was leaked or stolen than the financial impact.
"Our corporation is everywhere," said Mike Siegel, director of product management for McAfee's data protection unit. "It's fluid. It's with our partners; it's with our supply chain; it's with our outsourcers; it's with our knowledge workers, who are in the back of a taxicab. It's everywhere."
Professors Karthik Kannan, Jackie Rees and Eugene H. Spafford from Purdue University and the Center for Education and Research in Information Assurance and Security (CERIAS), undertook extensive research with experts from around the globe. Those surveyed were 100 IT directors each from U.S., U.K., Japan, China, India, Brazil and the Middle East.
Surprisingly, developing countries -- India, China and Brazil -- spend a substantially higher percentage of their IT budgets on security. The percentage was strikingly low in the United Kingdom, 4% (compared to 35% in India).
The motivation behind these differences is revealing. Companies in developing countries -- 74% in China and 68% in India -- said that better security gives them a competitive advantage in attracting customers and clients. But security spending by companies in Japan, Germany, U.K. and the United States are generally driven by compliance.
On the other hand, a significant minority of companies in Germany, Japan, India and the Middle East said they don't investigate security incidents, either because of the cost or bad publicity.
The global recession is making things worse.
In particular, companies around the world are concerned about insiders turning on them to steal data for pay. Laid-off employees, motivated by a combination of money and anger, were first on the list, cited by 42% of the respondents as their prime concern in a recession. This was followed by outside hackers and financially strapped employees. The latter are always of concern, especially in developing countries, but more so in a tough economy. In addition to money, employees who fear they will be laid off may steal sensitive data to help them land a job with a competitor.
"Managing insider threats is difficult," Tim Shimeall, an analyst at Carnegie Mellon University's CERT Network Situational Awareness Group wrote in the report. "With more sophisticated technologies at their fingertips and increased access to data, it has become easier for current employees and other insiders, such as contractors, consultants, suppliers and vendors, to steal information."
The global economy notwithstanding, many companies are loath to store sensitive data in Pakistan, Russia and China. In addition to the usual concerns about workers in developing countries, respondents are concerned about Islamic fundamentalism in Pakistan, the Russian mob and industrial espionage in China. Twenty-six percent of the respondents avoided storing or processing data in China, 27% in Pakistan and 19% try to keep data out of Russia, the survey found.
"China is a large developing nation," Shimeall wrote in the report. "They are people [who are] rich, but not resource rich. They are eager to develop the economy. The cheapest way, not necessarily the ethical way, is to indulge in industrial espionage."
The report concludes that companies doing business abroad have got to adopt strong incident response procedures, think strategically about protecting information beyond the core enterprise, procure contracts with specific security requirements and tighten controls around current and fired employees access.
It's a new business world, and a more dangerous one for corporate information.
"It's a different kind of market, and that marketplace has evolved," said McAfee's Siegel. "There is an international trade where intellectual property is now a currency that can be traded and sold on an international level."