In Depth

Confidential Data at Risk

Its five oclock; do you know where your data is?

By Larry Ponemon

Page 3

chart 2

What Storage Devices Are Most Likely to Contain Unprotected Data?

Our findings show that 60 percent of respondents believe the storage device that is most likely to contain unprotected sensitive or confidential data at rest is a PDA or comparable mobile device. More than 59 percent cite corporate laptops and 53 percent cite USB memory sticks as containing unprotected sensitive or confidential data. Desktops and shared file servers were at 36 percent and 35 percent, respectively.

What Poses the Greatest Threat to Data at Rest?

Employee negligence (42 percent) and broken business processes (33 percent) are considered the top two threats to data at rest. Respondents say the three most dangerous departments for safeguarding data at rest are: corporate information technology (62 percent), call centers (54 percent) and non-Web marketing operations.

On average, 64 percent of respondents admit that their companies have never conducted a data inventory to determine the location of customer or employee information contained in various data stores. Forty-nine percent of respondents admit that business confidential information has never been inventoried, and 48 percent report that intellectual properties have never been inventoried as a normal or recurring part of their companys IT information control process.

As shown in Bar Chart 3, more than 53 percent of respondents believe their companies would be unable to determine what sensitive or confidential information resided on a USB memory stick if it were lost or stolen. About 49 percent of respondents believe their companies would be unable to determine what data resided on a lost PDA or other comparable mobile device.

Bar Chart 3

If a data device were lost or stolen, how long would it take to determine the actual information on this device? Percentage of respondants saying never :

chart 3

Conclusion

Our research findings suggest that information security practitioners acknowledge the serious risks caused by not having adequate controls in place over electronic data stored throughout the enterprise. Our results also suggest that both business and governmental organizations are not taking appropriate steps to safeguard sensitive or confidential information such as intellectual property, business confidential documents, customer data and employee records.

As reported in our study, procedural controls such as data inventories and enabling security tools such as whole disk encryption should be implemented on a larger scale to reduce the risk of lost or missing data storage devices. In addition, our results strongly suggest that corporate IT and security need to focus on discovery and protection of sensitive or confidential data stored on peripheral devices, especially laptops, wireless enabled PDAs and USB memory sticks.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors