« Doors Locked, Windows Wide Open | Main | The DoD Standard: Certifiable Zero Accountability »

Study Finds Off-Network Security Off-Track

by Larry Ponemon on August 22, 2007

My company, Ponemon Institute, has been researching the issue of data breaches: the cost, the business impact, organizations’ response and what seem to be the most prevalent causes. Our latest research project was conducted to find out about loss or theft of data when off-network electronic devices are the target.

For the research report National Survey: The Insecurity of Off-Network Security, we interviewed more than 700 senior IT security professionals within U.S.-based business or government operations to understand how their organizations secure confidential data on off-network electronic equipment, and focused on the following four key issues:

1. How important is it for an organization to control data on electronic devices that are off-network?
2. What controls or procedures do organizations have in place to secure off-network data-bearing equipment or devices?
3. How rigorous is the enforcement of policies and procedures to protect confidential off-network data?
4. What are the primary causes for the theft or loss of data on electronic devices that are off-network?

The results of this independently conducted survey, sponsored by Redemtech, are interesting if not startling.

What did we find?

Is an organization’s confidential data as much at risk off-network as when it is on-network? According to IT practitioners surveyed, the answer is absolutely yes. But does protection of data off-network receive the same priority of protection as data on-network? The answer is absolutely no. The following are some of the most salient findings of our research:

  • Protection of off-network data is not as big a priority in organizations as protecting data on the network. IT practitioners in our study acknowledge off-network data is at risk and based on the frequency of off-network data loss or theft it should receive greater attention. As a result, efforts are not made to measure the effectiveness of protecting off-network data.
  • Human error, non-compliance with policies and negligence seems to be the overwhelming cause for off-network data breaches. Other Ponemon Institute research studies have found that the human element plays an important role in an organization’s ability to achieve its data protection objectives. In this study, it appears that employees’ compliance with policies and procedures is even more critical.
  • In the protection of their data assets, organizations seem to focus their efforts on securing laptops, PDAs and other mobile electronic devices. This study reveals the vulnerability of servers, printers, fax machines and other office equipment to theft or loss. Further, many organizations do not clean drives and do not verify that sensitive data has been erased.
  • Who is responsible for off-network security protection? According to our findings, there is no clear governance infrastructure for off-network security.
  • Policies and procedures for the protection of off-network data are in place but as our study indicates, there is a sense of complacency about enforcing or monitoring compliance with policies. This seems to support the finding that non-compliance with internal policies or procedures is the primary cause for a breach. The study also reveals that most organizations do not communicate policies to general employees and contractors.
  • IT practitioners are skeptical that the loss of off-network electronic equipment would be reported quickly in order to protect the loss of confidential data. Again, this indicates that organizations’ procedures for off-network security are lax.
  • When devices are on-network, an organization can deploy a range of technologies to secure confidential data. These include data loss prevention (i.e. content monitoring) technologies, encryption and identity, and access management systems. The issue with off-network devices is whether IT practitioners are deploying the right technologies. For example, when devices are idle or not in active use, encryption should be used to protect the data together with strict enforcement of policies and procedures.
  • It is no surprise that because of the priority organizations place on the need to protect confidential data on off-network devices that resources allocated are completely out of proportion to the risk. According to IT practitioners, less than 10% of the IT security budget is spent on this area of risk. This represents a misalignment of security resources.
  • The occurrence of data breaches continues to be frequent. The findings of this study are consistent with other data breach studies conducted by Ponemon Institute. Our studies continue to reveal that an overwhelming number of organizations have experienced the loss or theft of confidential data.
  • A large number of organizations have experienced the theft or loss of confidential data when it has been off-network. The practices and procedures of protecting data off-network is, therefore, as much an issue as protecting data when it is on-network. Both on- and off-network security should be important for all organizations.

I encourage you to read the full report, which is available at www.redemtech.com, or to email us at research@ponemon.org with questions about this or any other Ponemon Institute research.

Technorati Tags: , , , , , , , ,

Posted by Larry Ponemon on August 22, 2007 in Executive Forum , Security | Permalink

Comments

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

Through this forum, we hope to raise awareness of the issues and challenges inherent in managing IT equipment to the highest standards of financial, social and environmental responsibility. We welcome you to join the dialogue. Learn more»

SUBSCRIBE

Categories

Authors

Guests

Archives