Security: Unprepared and Unresponsive
|
It's depressing to read yet another study that finds companies are failing to take obvious security steps. But here goes: "The Business Impact of Data Breach," a survey of 702 information security professionals released today by Scott and Scott LLP and the Ponemon Institute LLC, found: |
More than 85% of respondent organizations reported that they have experienced a data breach event. (That's a much higher percentage than the 23% reporting a security breach in CIO Insight's soon-to-be-released 2007 security survey of IT executives. It makes me wonder whether CIOs and other senior IT executives are kept informed of all the breaches that have taken place, or define a "breach" the same way. Both surveys use the word.)Of those organizations, less than 43% had an incident response plan in place. (So when a breach occurred, most were winging their response.)
Following a breach, 46% of organizations still failed to implement encryption technology on portable devices. (Even though CIOs recognize this is a major security problem.)
82% failed to consult with legal counsel before responding to the incident.
Respondents believed data subjects suffered little or no monetary harm as a result of a breach and therefore believed that costly notification offered little benefit to victims. (This helps explain why we keep finding, in our own security surveys, that many companies do not notify customers or employees when data has been stolen.)
Organizations experiencing a data breach incurred costs across the board: 74% report loss of customers, 59% faced potential litigation, 33% faced potential fines and 32% experienced a decline in share value.
Naturally, companies that experienced a breach were more likely to take basic "preventive" measures or follow "control" procedures like encrypting data, providing training and deleting all data from disposed PCs. But why wait for a breach to occur?
Comments (4)
Strange - since up to 2048 encrypted (software based) VPN's are available. Anything under 128 Bit is no longer valid since it has been cracked for over two years - more easily now with better computer power and more free ware on the internet to do it.
Posted by Bruce Nachman | May 16, 2007 12:38 PM
While this is certainly a problem, another ticking time bomb resides in the pile of hard drives that is building at every data center in the United States.
Who's addressing the chain of custody and other security issues when it comes to electronic data and media destruction? WE DO!
This may not be the hot topic today, but it will be gaining traction as the months go on.
Posted by Leigh Lanzet | May 16, 2007 12:57 PM
> Why wait for a breach to occur?
Because you have no other definitive source of information. The security world has been selling boxes since forever, and there is no clear indication if they are doing any good. The press world has been hyperventilating about the latest threat, since forever. Your own technical people have been saying that they need to spend more, since forever, but have been unable to provide compelling ROI. Your own support staff have been robbing you blind, since forever....
The only solid information out there comes from the bad guys. Might as well use it.
(This of course is not what happens. Instead, boxes are bought, staff are entangled, butts are covered, and the breach information is *not* used...)
Posted by Iang | May 18, 2007 7:39 AM
One would think that they would learn from the multitude of news reports of data breaches. Goodwill takes a long time for organizations to build, and a very short time to lose, when they unnecessarily endanger their stakeholders.
Posted by Craig Herberg | June 5, 2007 1:24 PM