64% of UK Organisations Are Not Using Data Loss Prevention Tools, Jeopardising IT Security and Compliance, Survey Reveals

Without Taking the Necessary Steps to Identify Sensitive Data and Protect it From Loss or Misuse, Organisations are Jeopardising Compliance, Brand Reputation, and Competitiveness.

DATCHET, England, April 29, 2010 - CA (NASDAQ: CA), the world's leading independent provider of IT
management software, today announced the results of a European IT security
study revealing that 64% of UK organisations have not deployed Data Loss
Prevention (DLP) technology. This ranks the UK behind countries such as
France (only 23%), Ireland (50%), and Italy (60%). Without taking the
necessary steps to identify sensitive data throughout the enterprise and
protect it from loss or misuse, there is the risk of severe consequences
for non-compliance, potential damage to the brand reputation, and reduced
competitiveness.

According to the study, IT departments across the UK are struggling to
deal with compliance issues, such as the Payment Card Industry Data Security
Standard (PCI DSS) and the ISO 27001 information security standard.
Surprisingly, they are unaware of how technology could help and many are
unable to convince the business of the inherent risks to justify the required
investment. This is despite the fact many UK organisations expect data
privacy and national security to be the two areas of regulation that will
impact them the most in the next five years.[iii][iii]

With more organisations adopting cloud computing to process and store
data on an infrastructure managed by third parties, the need to apply
security policies at the data level is stronger than ever. The CA survey
highlights that IT security is a key factor in enabling the use of cloud
computing among UK organisations[iv][iv]. DLP tools help with understanding
the sensitivity of data and enable real time decisions to be made about what
is and is not allowed to be processed and stored in each cloud environment.
Employees should not be expected to understand all the issues, and may be
completely unaware that copying a document from one location to another is
moving it from an internally managed to a third party infrastructure.

A lack of time, a 'lack of compliance vision', and scarce resource
availability[v][v] mean that IT managers find it difficult to address many
compliance issues. All of these problems would easily be solved if
organisations could track and control their data more effectively. However,
it would not appear to be a priority: the research reveals that 'tracking the
use of data' is believed to be less of a hindrance to compliance among UK
organisations.

Those charged with managing IT security are most concerned about the
activities of external users[vi][vi]. They are also concerned about the
compromise of sensitive data, internet use, and the activities of internal
users. All of these are linked: it is the sharing of data between users
(often over the internet) that is behind many of the well publicised
incidents involving the loss of sensitive data.

To be effective, a COA requires three fundamental elements in place.
First, identity and access management (IAM) solutions which allow
organisations to understand people, their roles and responsibilities, and to
define and enforce their privileges. However, only 27% of UK organisations
have a full IAM system in place. Second, a COA requires the ability to locate
and classify data-52% of respondents say they have a system in place. The
third element required to support a COA is a way to enforce policies that
link people's roles to the use of that data. Many Data Loss Prevention tools
automate the second and third elements-albeit to varying degrees. And as
indicated earlier, 36% of UK organisations are currently using DLP
technology.

Besides providing the capability to accurately discover and classify
data, this identity-centric approach also helps police its use in a business
context: enabling the monitoring and inspection of information, while
enforcing pre-defined policies depending on the rights of the individual
concerned. Ultimately, organisations need the ability to strike the right
balance between effectively protecting their critical information from abuse,
while adopting flexible security measures that enable users to perform at
their best.

DLP tools are also increasingly being used for information control
purposes, especially as regulators continue to take more heavy touch
enforcement actions in an effort to achieve more credible discipline and
deterrence. For example, the Information Commissioner's Office was granted
the power to issue large penalties, which are designed to act as a deterrent
and to promote compliance with the Data Protection Act. This succeeds in
further raising the need for ownership to the board level.

"The survey findings, provide clear and timely evidence that UK
organisations require DLP technology in order to effectively support their
compliance requirements, protect their brand value, and maximise
competitiveness," says Simon Godfrey, Director, Information Security, Risk
and Compliance, CA. "As network perimeters continue to blur, it is clear that
security needs to be applied to the data throughout its lifecycle.
Information needs to be understood with policies applied to enforce who can
use it and how".

He added, "Linking DLP with IAM provides the right combination to achieve
this: allowing organisations to discover, monitor, and control critical
information wherever it is located, while ensuring that the information is
only used by the right individuals in the right way and according to their
roles and privileges. In essence, with the proliferation of sensitive
information across enterprises, this combination enables a much-need
practical approach for applying the principle of least privilege."

Bob Tarzey, Analyst and Director, Quocirca Ltd. comments, "Recent high
profile data breaches demonstrate that electronically-stored data is often
insufficiently cared for. This failure to protect data is costly, not least
because of the level of fines now being imposed by regulators. On top of this
there is the reputational damage and loss of competitive advantage that
usually ensue. The technology exists today to link the use of data to people
through enforceable policies. This allows a compliance-oriented architecture
to be put in place based on widely accepted information security standards,
such as ISO27001. Doing this enables UK organisations to allow the safe
sharing of information-both internally and externally-ensuring both the
continuity of business processes and good data governance."

Survey Methodology

The research for "You sent what? Linking identity and data loss
prevention to avoid damage to brand, reputation, and competitiveness" was
conducted by Quocirca, a primary research and analysis company specialising
in the business impact of ICT. A total of 270 interviews in 14
countries-including Belgium, Denmark, Germany, Finland, France, Ireland,
Israel, Italy, the Netherlands, Norway, Portugal, Spain, Sweden, and the
UK-were conducted in the second half of 2009. The interviews were with IT
Directors, Senior IT Security Managers, and other IT Managers in four
vertical sectors: telecommunications & media, manufacturing, financial
services, and government.

To download a copy of the survey report, please visit
www.ca.com/gb/mediaresourcecentre

About CA

CA (NASDAQ: CA), the world's leading independent IT management software
company, helps customers optimise IT for better business results. CA's
Enterprise IT Management solutions for mainframe and distributed computing
enable Lean IT-empowering organisations to more effectively govern, manage
and secure their IT operations. For more information, visit www.ca.com.

About Quocirca

Quocirca is a leading primary research and analysis company, specialising
in the impact emerging and evolving technologies have on businesses of all
sizes. Based in the UK, Quocirca's primary research reach is world-wide,
investigating, analysing and reporting on the perception of decision makers
and influencers in the end user environment around technologies within their
businesses.

EMEA Media Resource Centre

CA has setup a new online library, the EMEA Media Resource Centre where
will find numerous press related documents that are sorted by current topics.
You'll find abstracts for various bylined articles, background documents or
top ten lists. For more information please visit
ca.com/gb/mediaresourcecentre

Trademarks

Copyright (c) 2010 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All trademarks, trade names, service marks, and logos referenced
herein belong to their respective companies.

    Lisa Stassoulli
    +44(0)1753 241372
    Lisa.stassoulli@ca.com

Lisa Stassoulli, +44(0)1753 241372, Lisa.stassoulli at ca.com