Information Theft Reaches Estimated $59 Billion

U.S. corporations lost $59 billion in proprietary information and intellectual property during the past year, according to a report released by the American Society for Industrial Security (ASIS), PricewaterhouseCoopers and the U.S. Chamber of Commerce.

But what the report’s authors and other security experts find most alarming (though not surprising) is the fact only a little more than 13 percent of Fortune 1,000 companies even responded to the survey conducted earlier this year. Of those 139 who did respond, only 40 percent of them reported an incidence of known or suspected information theft.

The actual dollar amount is probably much, much higher than the $59 billion reported, experts said, though for various reasons, it’s hard to put a quantifiable number on theft of private property.

“I’d say without any hesitancy this is a conservative number,” said Vicki Contavespi, a spokesperson at ASIS. “Even conservatively, that’s a huge chunk of change.”

The report, Trends in Proprietary Information Loss Survey, the 10th such report, found a “troubling managerial attitude” in the companies that did respond to the survey — 138 Fortune 1,000 companies and 600 small-to-medium sized companies. Only 55 percent of the respondents found their managers were concerned about information loss and taking steps to safeguard their critical information.

Todd Tucker, director of security architecture and strategy at PentaSafe, a security management firm, said he isn’t surprised by the low turnout for the survey and that it is comparable to the results found in many surveys conducted by security organizations.

He said many of these companies that decline to respond are still trying to figure out what kind of security breaches they have before attempting to correct the problem.

“I don’t think companies are intentionally ducking their heads. What I think is happening is they are going through the process of learning the risks that are inherent to their own companies and they’re figuring out how to deal with those problems,” Tucker said. “What surveys like these do is help security officers and risk management personnel justify resources spent on efforts like security awareness and increasing information security.”

The most common types of information stolen, the survey found, are research and development (49 percent), private customer lists and personal information (36 percent) and financial data (27 percent).

Exacerbating the problem is the fact most companies are reluctant to disclose the extent of their breaches, for fear of embarrassment or loss of customers in the event the findings were published.

That reluctance, Contavespi said, is keeping U.S. security experts from determining the extent of the problem and finding a way to come up with a solution for corporate security woes.

“They have to get over their reluctance to share information about losses so we can figure out the full extent and nature of the problem,” she said. “They need to centralize their loss reporting system, they have to make information protection a higher priority and they have to set up a system for valuing intellectual property.”

Tucker, who is also a member of the Human Firewall Council, said a report published several weeks ago by the organization, Security Management Practices, shows the common security practices at many companies throughout the U.S. The benchmarks found there, as well as a few simple security awareness issues can prevent some of the most flagrant breaches.

“I believe that where companies should start is with educating their own people as to the risks related to information technology and the value of their information and educating them on how to better protect that information,” he said. “In our survey, we found that only 1/3 of the companies had a classification scheme. That’s tremendously important to curtailing losses such as this.”

The ASIS report shows that, indeed, the losses can quickly add up on research and development thefts, which amounted to $404,000 per incident. Individual financial data thefts cost companies an average $356,000.