Three New Ponemon Reports Show How Businesses Are At Risk
Three interesting research reports have been published by the Ponemon Institute during the past few days, two of them addressing issues of encryption and another examining the value proposition of corporate data protection efforts within various business segments.
This week, Ponemon released its fourth annual U.S. Encryption Trends Study, which found an alarming 85% of businesses surveyed admitting that they have experienced a data breach during the past year, up from 60% in the 2008 study. The number of companies experiencing more than five data breaches in one year rose to 22%, up from 13% last year.
Similarly, the UK Enterprise Encryption Trends study found that 70% of UK organizations have been hit by at least one data breach incident within the past year, up from 60% in the previous year. The number of firms experiencing multiple breaches also rose, with 12% of respondents admitting to more than five data loss incidents in 2009, up from 3% in 2008. Both studies were commissioned by PGP Corp.
News coverage of the U.S. study and the UK results strongly indicate that businesses must have a holistic data encryption strategy to reduce data security risks to their businesses and customers. As InternetNews noted in its coverage, the studies are a clear indicator of change as more organizations adopt encryption to comply with industry regulations and state and federal laws.
According to the reports, organizations now see a special need to protect mobile devices, such as data-bearing laptop computers. "More than 59 percent of respondents say it is very important or important to encrypt employees' mobile devices - a sign that organizations recognize that valuable data is more mobile than ever," according to Ponemon.
The third new Ponemon report focuses on the data security perspectives between CEOs and other C-Level executives, and their concerns about threats to sensitive and confidential data. Similar to the two encryption studies, this research, commissioned by Ounce Labs, found that 82% of the C-Level executives surveyed said that their organizations had experienced a data breach and 94% of those who admitted to a data breach said that it occurred within the past six months. But the study also goes on to say many of these same executives admit that they are positive they cannot prevent another breach, which is disturbing, to say the least.
Among the more interesting findings are:
• Respondents said they believe the purpose of data protection programs is to reduce or mitigate the risk of data loss or theft; improve information flows about people, such as consumers, customers, business partners and other stakeholders; and increase brand or marketplace image
• Currently, the most frequently used measures to determine the success of a data protection program include how much data breach recovery costs, fines and legal defense costs are reduced
• Given the goals C-level executives have for their data protection programs, they indicate that they should have measures that determine asset performance, asset protection, including the protection of intellectual properties, and reputation management
• 85% of those who are said to be in charge of data protection don’t believe that a failure to stop a data breach would impact their job
• 53% of the CEOs surveyed said that the CIO is responsible for data protection, while 24% of the other C-level executives would point to the CIO as the one responsible for the data protection overall
Comments that I found interesting from the report include:
• “In times of shrinking budgets, it is important for those individuals charged with managing a data protection program to understand how key decision makers in organizations perceive the importance of safeguarding sensitive and confidential information.”
• “In this study, we learned that C-Level executives believe good data protection practices can support important organizational goals such as compliance, reputation management, and customer trust. However, we also learned that the majority of respondents are not confident in their ability to safeguard sensitive and confidential information.”
As Tech Herald points out in its news coverage, the results show that there is no clear accountability at any level. Most executives appear to want to blame someone else when a data security breach occurs. There are other glairing disconnects between the CEO and the other C-Level executives, such as indications that most CEOs underestimate risk. Forty-eight percent of the CEOs surveyed said they believe their organizations are rarely attacked.
The overarching message of all three of these recent studies is that failure to encrypt data on off-network data-bearing mobile devices and security disconnects within an organization place businesses and their customers at risk.
David Scott, author of I.T. WARS, believes these data breaches and thefts are largely due to a lagging business culture. Google “I.T. WARS” and you can read a good bit of it on Google Books – it’s also in many libraries. Read some fresh and original thinking here - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management (IT Governance) or staff, to get hold of a copy of “I.T. Wars: Managing the Business-Technology Weave in the New Millennium.” It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don’t want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book - then ask your boss to read it - then ask your staff and co-workers to read it.
Posted by: John Franks | July 17, 2009 at 07:37 AM