Seventy-Seven Percent of Organizations Lost Data

Thursday, June 09, 2011



According to the results of new study commissioned by Check Point and conducted by the Poneman Institute, nearly 80% of organizations suffered data loss events over the past year.

The study, titled Understanding Security Complexity in 21st Century IT Environments, surveyed over 2,400 IT security administrators and reveals that "the primary cause for data loss resulted from lost or stolen equipment, followed by network attacks, insecure mobile devices, Web 2.0 and file-sharing applications and accidentally sending emails to the wrong recipient."

The most common data lost was classified as consumer information, accounting for 52% of compromised data. Intellectual property and employee information each respectively made up about one-third of the information exposed, with corporate plans accounting for about 16% of the lost data.

“With hundreds of data loss incidents every year – both reported and unreported – it’s no surprise the issues with governance, risk and compliance are being magnified. Data security in a modern day world means more than deploying a set of technologies to overcome these challenges. In fact, the lack of employee awareness is a primary cause in data loss incidents and is encouraging more businesses to educate their users about corporate policies in place," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.

The study also found that nearly half of the survey respondents indicated that their company's employees had "little or no awareness about data security, compliance and policies," a contributing factor in many of the data loss events.

"We understand that data security and compliance are often at the top of the CISO's list. However, if you look at the drivers for data loss, the majority of incidents are unintentional. In order to move data loss from detection to prevention, businesses should consider integrating more user awareness and establish the appropriate processes to gain more visibility and control of information assets," said Check Point's Oded Gonda.

The study suggests organizations need to better understand the circumstances driving data loss events, including:

  • Understand the Organization’s Data Security Needs – Have a clear view and record of the types of sensitive data that exist within the organization, as well as which types of data are subject to government or industry-related compliance standards.
  • Classify Sensitive Data – Begin by creating a list of sensitive data types in the organization and designating the level of sensitivity. Consider establishing a set of document templates to classify data by Public, Restricted or Highly Confidential – creating more end user awareness about corporate policies and what constitutes sensitive information.
  • Align Security Policies with Business Needs – An organization’s security strategy should protect the company’s information assets, without inhibiting the end user. Start by defining company policies in simple business terms that are aligned with individual employee, group or organization’s business needs. Identity awareness solutions can provide companies with more visibility of their users and IT environment, in order to better enforce corporate policy.
  • Secure Data Throughout Its Lifecycle – Businesses should consider implementing data security solutions that secure their sensitive data in multiple forms – correlating users, data types and processes – and protect it throughout its lifecycle: data-at-rest, data-in-motion, and data-in-use.
  • Eliminate the Compliance Burden – Evaluate government and industry-driven compliance mandates and how they impact an organization’s security and business flow. Consider implementing solutions with best practice policies customized to meet specific regulations, including HIPAA, PCI DSS and Sarbanes Oxley, for fast prevention on day one. Best practice policies also enable IT teams to focus on proactively protecting data beyond what’s required.
  • Emphasize User Awareness and Engagement – Involve the user in the security decision process. Technology can help educate users about corporate policies and empower them to remediate security incidents in real-time. Combining technology and user awareness sensitizes employees to risky behavior through self-learning techniques.


Possibly Related Articles:
Data Loss breaches Research Intellectual Property Poneman report Consumers enterprise s
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.