IT security and compliance practitioners are exhibiting a "disturbing lack of confidence" in the ability of organizations to use sensitive information securely, a new survey finds.
The survey, which was sponsored by Oracle and conducted by the Traverse City, Mich.-based Ponemon Institute, looked at the data privacy and data protection concerns of 1,000 IT security workers and compliance professionals. It found that many see the potential for disastrous data loss and feel that their organizations aren't equipped to deal with the risk.
Among the survey's findings, 42% of respondents said they believe their organizations are doing a poor job of curbing the risk of loss or theft of confidential information. Meanwhile, 45% said they would be unable to identify and notify the users or customers affected by any potential data breach.
The Ponemon Institute also found that audit management tools and privileged user access controls are the data-protection technologies expected to get the most uptake in the next 12-18 months. This particular finding caught the eye of Peter Finnigan, a security consultant currently working with Siemens Ltd. and a well-known
Larry Ponemon, chairman and founder of the Ponemon Institute, said during a Tuesday webcast that the survey was conducted independently of Oracle's influence and that it was not designed to promote any specific product or service.
Finnigan said customers he has worked with are beginning to realize that securing data itself is more important than securing servers or networks. But, he added, it's a message that still hasn't fully taken hold.
"People are not taking care to secure sensitive and personal data," Finnigan said. "A lot of sites do not employ an audit at all or, if they do, it is woefully inadequate, and for this reason the survey could be correct that a lot of customers would not be able to tell their clients that there had been a breach."
Data breach list getting longer
The Ponemon Institute survey comes at a time when Pfizer Inc. reported that the identities of 17,000 current and former employees were compromised when an employee's spouse installed unauthorized file-sharing software on a company laptop where the data was stored. Also last week, the Division of Workforce Services for Salt Lake, Utah, reported that the social security numbers of 20,000 children are believed to have been stolen.
Big software vendors aren't immune to the dangers of data loss, either. Last month, IBM reported that tapes containing information mainly about former employees had been lost in transit. The exact number of people affected is not known.
breach has cost TJX about $25 million in related fees to date.
Stephen Wolfe, an information systems security officer for the 6th Medical Group at MacDill Airforce Base in Tampa, Fla., said the ongoing coverage of the TJX debacle should serve as a reminder that security programs need to be properly planned and adequately funded. It's a message that sometimes seems to be lost on organizational higher-ups such as CFOs and CEOs.
"You need to have the funds and the manpower to do the job properly," said Wolfe, who has worked for the government for about 30 years. "[TJX] could have been prevented if the people had been resourced properly."
Wolfe said that all of the high-profile data breaches in the news of late are unsurprising.
"If you're connected to the Internet, security is an important issue today," he said. "You cannot underscore that enough."
Too much information
During Tuesday's webcast, Ponemon said that, in general, IT security professionals such as chief security officers are slightly more pessimistic about data privacy than their counterparts who work in the area of compliance. But, he said, there is definitely an overriding feeling between both groups that organizations are ill-prepared to deal with data security threats.
One reason for that lack of confidence is that most IT and compliance pros feel that too much personally identifiable information is scattered across their IT systems, Ponemon said.
"In other words, [data is] just all over the place," he said. "This paints a pretty dismal picture here, and maybe it's dismal because organizations lack the controls and aren't listening to their IT practitioners."
Survey respondents were also highly concerned about what Ponemon called over-privilege, where giving the wrong people too much access to information can lead to serious errors and possible security breaches.
"This is a situation which is a common problem," he said. "Organizations will grant certain access rights to certain applications or certain types of data, and as a result of some decision made perhaps at the business unit level or perhaps in concert with IT, the access rights don't necessarily match the job function."