ABOUT SYMANTEC

Press Release

New Research Shows User Errors the Leading Cause of Data Loss

Quarterly Research from the IT Policy Compliance Group Indicates 68 Percent of Organizations Experience Six Losses of Sensitive Data Annually

CUPERTINO, Calif. – March 8, 2007 – The IT Policy Compliance Group today announced the availability of its latest research report titled “Taking Action to Protect Sensitive Data.” According to the report, twenty percent of organizations are suffering from 22 or more sensitive data losses per year. The most sensitive losses include customer, financial, corporate, employee, and IT security data, which is either stolen, leaked, or destroyed. The primary channels through which data is lost – in order of risk – includes PC’s, laptops and mobile devices, email, instant messaging, applications and databases.

Organizations experiencing publicly reported data breaches are finding it costs money and customers to not protect data; on average these firms are experiencing an 8 percent loss of revenue and a similar loss of customers worried about personal data. Compounding the revenue and customer losses are additional expenses averaging $100 per lost or stolen customer record to notify customers and restore data.

“Preventative measures such as built-in IT controls are vital to ensuring that businesses protect the data they collect. It shouldn’t be an after thought , but rather considered up-front in the design of hardware and software redundancy to ensure the information is kept secure and supported throughout the data lifecycle,” says Heriot Prentice, director of technology practices at The Institute of Internal Auditors. “It’s that simple. If you collect it, then protect it”.

The benchmark results show that firms with the fewest data losses are identifying sensitive core business data, mitigating user errors, policy violations and internet attacks, and monitoring many different IT controls and procedures weekly. The first line of defense to protect data continues to be the people who are handling data. Businesses must develop and update policies for sensitive data protection, handling, retention, and destruction that include accountability programs.

"While some of the results here may give cause for alarm, there's also the strong suggestion that some organizations have managed to provide responsible oversight of their data, said Robert Richardson, director at the Computer Security Institute. "These are organizations we want to applaud and to emulate."

According to responses from organizations with the fewest losses of sensitive data, they are spending more time monitoring policy compliance and are employing multiple IT controls to reduce the loss of sensitive data. Best-in-class organizations are monitoring and measuring controls and procedures to protect sensitive data once a week, while most firms are conducting such measurements only about once every 176 days. In addition, organizations with the fewest losses of sensitive data classify IT security and regulatory data as sensitive and take the necessary steps to secure it.

“Failing to protect IT security and regulatory audit data is like a bank giving away the combination to the vault,” said Jim Hurley, managing director, IT Policy Compliance Group. “Instead of securities and cash, these firms are putting sensitive data, customers, revenues and business futures entirely at risk.”

The IT Policy Compliance Group report outlines recommendations to help organizations improve sensitive data protection. These include:

  • Taking time to identify the most sensitive business data
  • Training employees and implementing technology to mitigate user errors, policy violations, and internet attacks
  • Monitoring controls and procedures to ensure compliance
  • Increasing the frequency of audits and measurements

For more information and to download the latest research report titled “Taking Action to Protect Sensitive Data” visit www.ITPolicyCompliance.com.

About IT Policy Compliance Group The IT Policy Compliance Group is dedicated to improving IT compliance results for organizations and is made up of members from several leading organizations including: the Computer Security Institute, The Institute of Internal Auditors, Protiviti, and Symantec Corporation (NASDAQ: SYMC). The group conducts fact-based benchmark research to determine the best practices that result in improvements to IT compliance results for organizations.

NOTE TO EDITORS: If you would like additional information on the IT Policy Compliance Group, please visit the About Us section of the Web site at http://www.itpolicycompliance.com/about%5Fus/.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.