National Survey on the Detection and Prevention of Data Breaches

While many security professionals are confident about their ability to detect the occurrence of a large data breach, they are less than confident about their ability to prevent one.

According to the results of our recent national survey of information security professionals, data breaches continue to threaten organizations ability to safeguard personal information. We believe our survey on information security professionals experiences in detecting and preventing the leakage of sensitive or confidential information to unauthorized parties outside the organization enables us to learn from those who are in the trenches in the battle to protect confidential or sensitive data about people and their families.

Sponsored by PortAuthority Technologies, this independently conducted national survey by Ponemon Institute queried a representative sample of 853 respondents (see Sample section below for details) employed in corporate IT functions within U.S.-based organizations. Our survey focused on the following four issues:

  1. How do information security practitioners respond to data breaches?
  2. What technologies, practices and procedures are employed by organizations to detect and prevent data breaches?
  3. What are the issues, challenges and possible impediments to effectively detecting and preventing data breaches?
  4. How do organizations attempt to enforce compliance with their data-protection policies?

Our findings provide some interesting insights into the current perspectives and practices of organizations concerning the prevention and detection of security breaches.

Most Salient Findings

The following summary discusses what we believe to be the most salient findings from our research: organizations ability to detect and prevent small versus large breaches, the idea that certain data is considered more important to safeguard, and organizations choice of technology to prevent and detect a security breach and obstacles to achieving compliance with data-protection policies.

Are Organizations Effective in Preventing and Detecting Breaches?

More than 59 percent of respondents believe their company is effective at detecting breaches, and 39 percent state that content filtering is a primary technology used to detect and classify data breaches. Only 37 percent believe their company is effective at preventing breaches.

How do respondents view their organizations ability to detect and properly classify a data breach? Figure 1 shows the approximate probability distribution for two classes of data breaches: large (10,000 or more customer records) and small (100 or fewer customer records). This graph is based on self-reported probabilities from respondents in terms of their belief that their company would detect a large or small breach. On average, the probability of detecting a large data breach is 68 percent, and the probability of detecting a small data breach is 51 percent.

The above pattern of findings suggests that respondents are uncertain about the companys ability to discover leakage of confidential information. Specifically, for a large breach involving more than 10,000 customer records, only 43 percent believe their company would detect this event at or above 80 percent of the time (or a 20 percent rate of detection failure). Seventy-six percent of respondents believe their organization would correctly detect a large breach at or above 60 percent of the time (or a 40 percent rate of detection failure).

For a small breach involving fewer than 100 customer records, 17 percent of respondents believe their company would correctly detect this breach at or above 80 percent of the time. About 38 percent of respondents believe their organization would detect a small data breach at or above 60 percent of the time.

Figure 2 shows the approximate false positive probability distributions for both large and small data breaches. (In this study, a false positive is defined as a probability or likelihood that a detected data breach is later determined to be a permissible transfer of data. In other words, what appears to be a leak of sensitive or confidential data is OK.)

Both Figures 2 and 3 are based on self-reported probabilities that their company would fail to correctly classify the breach event. On average, the false positive rate for a large breach is 21 percent, and for a small breach the false positive rate is 35 percent. Once again, it appears that most respondents are uncertain about their companys ability to correctly classify the data breach event. For a large breach, 67 percent of respondents believe the false positive rate is at or below 20 percent. For a small data breach, however, only 19 percent of respondents believe the false positive rate is at or below 20 percent.

Do Organizations Consider Certain Data More Important to Protect?

According to respondents, the loss or theft of intellectual property is viewed as the most serious data breach event in terms of risk, reputation and cost to the organization. Respondents also view that the second most significant type of breach concerns the loss or theft of customer or consumer data. The loss of customer information often requires notification as a requirement of various privacy laws, making the incident a public eventwhich may diminish brand, reputation and customer confidence.

Are Technologies Effective in Preventing Data Breaches?

More than 66 percent of respondents report the use of technologies to help their organization manage the leakage of sensitive or confidential information. Access management is the most often used solution to prevent a data breach (41 percent). This finding suggests that close management of system access on a need-to-know basis is a good way to curtail data leaks. The second most important technology concerns secure network solutions (27 percent) and data encryption (22 percent).

The primary reason organizations would not use enabling technologies to prevent a data breach is cost. Specifically, 35 percent of respondents state that current data-leak prevention technologies are too expensive. Other reasons include: Manual procedures are adequate (16 percent), the organization is not vulnerable to a breach (16 percent) and the false positive rate of existing technology-based data-leak solutions is too high (12 percent).

More than 81 percent of respondents state that policies and standard operating procedures are the primary manual control that organizations rely upon to detect and prevent data leaks. More than 71 percent of respondents state that close supervision of personnel who handle sensitive or confidential data is a primary control for preventing data breaches.

Of the organizations that use different types of technologies to help detect data breaches, approximately 39 percent state that content filtering is the most prevalent technology used today. More than 28 percent report that keyword monitoring technology is used by their organization. Other technologies used to prevent a data breach include: data-leak detection and prevention, event management systems, intrusion detection and digital rights management solutions.

Are Current Efforts to Ensure Compliance with Data-Protection Policies Effective?

More than 41 percent of respondents believe their organization is not effective at enforcing compliance with their organizations data-protection policies and procedures. Many respondents believe their company does not have the right leadership structure or enough resources to properly enforce compliance with required internal control procedures. Another contributing factor appears to be the fragmented use of portable storage technologies such as memory sticks that that allow individuals to completely bypass enterprise-level control systems.

Figure 3 reports how respondents view the effectiveness of their organizations data breach detection and prevention efforts.

The above figure also shows how respondents view the effectiveness of their organizations enforcement practices. While more than 59 percent of respondents believe their company is effective at detecting breaches, only 37 percent believe the company is effective at preventing them. It is also interesting to see that less than 41 percent of respondents believe their organization is not effective at enforcing compliance with policies or procedures.

Sample

A random sampling frame of 6,679 adult individuals who reside within the United States was used to recruit participants to this Web survey. Our randomly selected sampling frame was selected from three national mailing lists of information security professionals. In total, 954 respondents completed their survey results during an eight-day research period. Of returned surveys, 101 were rejected because of incomplete or inconsistent responses. A total of 853 surveys were used as our final sample. This sample represents a 13.8 percent net response rate. The margin of error on all adjective scale and Yes/No/Unsure responses is 2 percent or less.

On average, respondents have more than 7.3 years of experience in the information security field, and more than 3.5 years of experience in their current position. In total, 79 percent of respondents were males and 21 percent were females. While results are skewed on gender (that is, more male than female respondents), this is consistent with known demographics about the information security field in North America.

More than 35 percent of respondents state that their positions are located within the corporate CIO organization. About 22 percent state that they report to the organizations information security leader (CISO or CSO), and 12 percent state that they report to the companys privacy officer. More than 19 percent of respondents are employed in financial service companies. About 13 percent of the sample work for governmental organizations including the military. More than 60 percent of respondents are employed by larger organizations (with more than 25,000 employees).

Conclusion

We find it most interesting that while many of these professionals are confident about their ability to detect the occurrence of a large data breach, they are less than confident about their ability to prevent one. Technology is used by a majority of these organizations to prevent a breach, but a significant percentage of respondents believe it is too expensive. Some (16 percent) believe it could never happen to them, and another 16 percent believe manual procedures are sufficient.

Dont overlook the insider threat posed by negligent or malicious employees. As reported in our study, a growing security threat is employees or contractors who can bypass an organizations formal detection systems and cause a data breach.

These observations are preliminary, and we believe that further research about the prevention and detection of security breaches, as well as the insider threat, is needed. If you have questions or comments about this research report or you would like to obtain additional copies of the document (including permission to quote from or reuse this report), please contact us by e-mail at research@ponemon.org.

Larry Ponemon is founder and chairman of Ponemon Institute. The Institute is dedicated to independent research and education that advances responsible information and privacy management practices in business and government.

Copyright © 2006 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)