Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Confidential Data at Risk

Its five oclock; do you know where your data is?

By Larry Ponemon

August 01, 2006CSO

A primary reason corporate data security breaches occur is that companies do not know where their sensitive or confidential business information resides within the network or enterprise systems. This lack of knowledge, coupled with insufficient controls for data stores, poses a serious threat for both business and governmental organizations. Moreover, the danger doesnt stop at the network, but includes employees and contractors laptop computers and other portable storage devices.

Consider, for example, a recent data breach involving the U.S. Department of Veterans Affairs (VA) and the loss of veteran records that were stored on an employees laptop computer. Records contained the names and Social Security numbers of almost 27 million living veterans. According to the press, this laptop was stolen from the employees home officewhich resulted in huge remediation costs and reputation damage for the VA and federal government.

How could such a breach happen? Did the VA know that employees routinely acquire massive databases containing sensitive personal information? If so, why was an employee allowed to store unprotected files on his laptop computer? Finally, how was the VA able to know that this stolen laptop contained unprotected sensitive personal information?

In this survey we focus on all electronic information that is housed or located on data storage devices within the organizations IT infrastructure (often referred to as data at rest). In addition to primary storage devices such as networked servers, such data may reside on portable peripheral devices that from time to time connect to the network, such as laptop computers or other wireless devices (PDAs). It may also extend to USB memory sticks that can capture and transport large amounts of electronic data, potentially in a stealth mode.

Vontu and Ponemon Institute conducted the first U.S. Survey: Confidential Data at Risk to better understand the nature and extent of issues that occur because companies do not have adequate control over the storage of sensitive or confidential data at rest. Our independently conducted survey queried 484 respondents who are employed in corporate IT departments within U.S.-based business or governmental organizations.

Our survey focused on the following four issues:

  1. How pervasive is the problem of unprotected confidential data at rest?

  2. How do information security practitioners locate sensitive or confidential business information that resides (somewhere) within their organizations IT infrastructure?

  3. What technologies, practices and procedures are employed by organizations to locate and control sensitive or confidential data at rest on peripheral or temporary devices such as laptops, PDAs and memory sticks?

  4. What are the issues, challenges and possible impediments to effectively locating unprotected sensitive or confidential data residing on peripheral or temporary devices?


How Pervasive Is Laptop Loss or Theft?

RESOURCE CENTER