Two recent surveys on information security practices point to both the management and technical challenges faced in locking down, once and for all, sensitive data from prying eyes and maliciousness. And, as countless other surveys have been warning us over the years, management isn't paying attention.
Few companies watch their back doors for data breaches
There’s a lot of work to be done, according to poll results released by Deloitte. In fact, fewer than six percent of respondents polled during a recent Deloitte Webcast on the topic were “highly confident” that enterprises have sufficient controls in place to minimize the occurrence of cyber crime. In fact, almost 40 percent of the 1,600 poll respondents are “not confident” in controls implemented by enterprises.
And a survey I recently helped design and publish, as part of my work with Unisphere Research, finds that only a minority of companies are watching the back doors of their data infrastructures -- where break-ins can take place and remain undetected for a long time. The survey of 430 members of the Independent Oracle Users Group finds, for example, that two out of five companies are sending unencrypted live production data out the door to outside partners and development shops. The study was first conducted in 2008, and things haven't improved any since that time -- many security efforts may have been put on a back burner due to stresses on IT budgets during the recent economic slowdown. (Executive summary available at the IOUG research portal.)
Fewer than 30 percent of respondents are encrypting personally identifiable information in all their databases. Although slightly up from last year, this finding is startling given the number of existing data privacy and protection mandates that specifically call for data-at-rest encryption.
In addition, close to two out of five of respondents admit that their organizations ship live production data out to development teams and outside parties. More than one-third admit that the data is unprotected, or simply don’t know if it is protected. In many cases, the data consists of sensitive or confidential information.
There are costs and impacts that ripple through the entire enterprise as a result of a security breach, John Clark, partner in the security & privacy services practice at Deloitte, says in the Webcast. The financial impact alone is an eye-opener — he cited estimates from the Ponemon Institute that put the average cost of a data breach at about $202 per record. In total, that results in total average loss ranges of between $613,000 to $32 million per incident, he relates.
Why are the costs of a data breach so high? “A large portion relates to lost business,” Clark explains. “There’s also the time and energy to respond to those incidents. There’s the notification that’s required to customers and others. … There’s also an impact from a compliance standpoint, and regulatory requirements. These types of breaches may lead to regulatory enforcement action from the Federal Trade Commission, state attorneys general, or others.”
Then there’s the operational impact — a single major security breach “has potential of impacting almost every area of your business,” Clark relates. “What you tell your customers when they call in and ask questions. You may need to initiate marketing campaigns targeted on supporting the customer. When their information is breached, it breaches that level of trust that you had with your customer. Then there is the public relations standpoint — you may have a sticky situation with the media.”
Add to all this the “costs of information technology, people and re-mediating, responding and reacting to the incident, versus working in a strategic area that would add to revenue to the business. Then there’s the question of what your going to tell your employees and what you’re going to tell your salesforce when it interacts with your customers.”
What’s a company to do then, to keep data as secure as possible? The first step is to get an understanding of what and where the valuable data is in the organization, Clark and co-presenter John Kula, director in the forensic & dispute services practice of Deloitte Financial Advisory Services, advise. “One of the most common things we run into in organizations is that if you ask the question of ‘do you know where your data is?’ there isn’t anybody who has a good view of that,” says Clark. “The IT departments should know that, but there is now a lot of information that is user-driven. We just see a lot of cases that companies don’t know where their most sensitive information is.”
Clark and Kula say it’s important to prioritize data to get an understanding of the parts of the data infrastructure that are the most sensitive. “Look at your information assets, Clark says. “Number one is focusing on priorities. You want to understand what the risks are and prioritize and focus on the most important things.
Education and skills training is also essential. Clark urges enterprises to join and collaborate with industry associations to share security knowledge and concerns. Training can go a long way in today’s economic environment, in which staff are expected to do more with less, Kula observes. “If you think about the economy, with layoffs and cutbacks at the same time incicents are increasing exponentially, people are literally overwhelmed with all of their responsibilities.” Clark and Kula also recommend having contingency plans in place for when incidents happen.