Information security both a management and technical challenge

Information security both a management and technical challenge

Summary: Only a minority of companies are watching the back doors of their data infrastructures -- where break-ins can take place and remain undetected for a long time.

SHARE:
TOPICS: Security
3

Two recent surveys on information security practices point to both the management and technical challenges faced in locking down, once and for all, sensitive data from prying eyes and maliciousness.  And, as countless other surveys have been warning us over the years, management isn't paying attention.

Few companies watch their back doors for data breaches

There’s a lot of work to be done, according to poll results released by Deloitte. In fact, fewer than six percent of respondents polled during a recent Deloitte Webcast on the topic were “highly confident” that enterprises have sufficient controls in place to minimize the occurrence of cyber crime. In fact, almost 40 percent of the 1,600 poll respondents are “not confident” in controls implemented by enterprises.

And a survey I recently helped design and publish, as part of my work with Unisphere Research, finds that only a minority of companies are watching the back doors of their data infrastructures -- where break-ins can take place and remain undetected for a long time. The survey of 430 members of the Independent Oracle Users Group finds, for example, that two out of five companies are sending unencrypted live production data out the door to outside partners and development shops. The study was first conducted in 2008, and things haven't improved any since that time -- many security efforts may have been put on a back burner due to stresses on IT budgets during the recent economic slowdown. (Executive summary available at the IOUG research portal.)

Fewer than 30 percent of respondents are encrypting personally identifiable information in all their databases. Although slightly up from last year, this finding is startling given the number of existing data privacy and protection mandates that specifically call for data-at-rest encryption.

In addition, close to two out of five of respondents admit that their organizations ship live production data out to development teams and outside parties. More than one-third admit that the data is unprotected, or simply don’t know if it is protected. In many cases, the data consists of sensitive or confidential information.

There are costs and impacts that ripple through the entire enterprise as a result of a security breach, John Clark, partner in the security & privacy services practice at Deloitte, says in the Webcast. The financial impact alone is an eye-opener — he cited estimates from the Ponemon Institute that put the average cost of a data breach at about $202 per record. In total, that results in total average loss ranges of between $613,000 to $32 million per incident, he relates.

Why are the costs of a data breach so high?  “A large portion relates to lost business,” Clark explains. “There’s also the time and energy to respond to those incidents.  There’s the  notification that’s required to customers and others. … There’s also an impact from a compliance standpoint, and regulatory requirements. These types of breaches may lead to regulatory enforcement action from the Federal Trade Commission, state attorneys general, or others.”

Then there’s the operational impact — a single major security breach “has potential of impacting almost every area of your business,” Clark relates. “What you tell your customers when they call in and ask questions. You may need to initiate marketing campaigns targeted on supporting the customer. When their information is breached, it breaches that level of trust that you had with your customer. Then there is the public relations standpoint — you may have a sticky situation with the media.”

Add to all this the “costs of information technology, people and re-mediating, responding and reacting to the incident, versus working in a strategic area that would add to revenue to the business. Then there’s the question of what your going to tell your employees and what you’re going to tell your salesforce when it interacts with your customers.”

What’s a company to do then, to keep data as secure as possible? The first step is to get an understanding of what and where the valuable data is in the organization, Clark and co-presenter John Kula, director in the forensic & dispute services practice of Deloitte Financial Advisory Services, advise. “One of the most common things we run into in organizations is that if you ask the question of ‘do you know where your data is?’ there isn’t anybody who has a good view of that,” says Clark.  “The IT departments should know that, but there is now a lot of information that is user-driven. We just see a lot of cases that companies don’t know where their most sensitive information is.”

Clark and Kula say it’s important to prioritize data to get an understanding of the parts of the data infrastructure that are the most sensitive. “Look at your information assets, Clark says. “Number one is focusing on priorities. You want to understand what the risks are and prioritize and focus on the most important things.

Education and skills training is also essential. Clark urges enterprises to join and collaborate with industry associations to share security knowledge and concerns. Training can go a long way in today’s economic environment, in which staff are expected to do more with less, Kula observes. “If you think about the economy, with layoffs and cutbacks at the same time incicents are increasing exponentially, people are literally overwhelmed with all of their responsibilities.” Clark and Kula also recommend having contingency plans in place for when incidents happen.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • RE: Information security both a management and technical challenge

    Take a look:

    dearsales.com


    Here have what you need!


    It's very good!
    dsafhsdkjhfkj
  • RE: Information security both a management and technical challenge

    Thanks for the great info
    ashesmagee
  • RE: Information security both a management and technical challenge

    These surveys are a wake-up call for all organizations to invest in their information security infrastructure. Policies, procedures, training and technology need to be part of a much bigger system. When it comes to preventing a breach, there is no single solution. All organizations that work with sensitive data and information need to take a layered approach to securing both their devices and the data stored on them. This means investing time, money and technology into developing systems that protect as well as inform employees. Businesses also need to communicate their security policies and procedures to staff members so that they are aware of the implications of misusing their company's data and/or devices.

    Many thanks,
    Ashley, Absolute Software
    http://blog.absolute.com
    AshleyAbsolute