Confidential Data at Risk

A primary reason corporate data security breaches occur is that companies do not know where their sensitive or confidential business information resides within the network or enterprise systems. This lack of knowledge, coupled with insufficient controls for data stores, poses a serious threat for both business and governmental organizations. Moreover, the danger doesnt stop at the network, but includes employees and contractors laptop computers and other portable storage devices.

Consider, for example, a recent data breach involving the U.S. Department of Veterans Affairs (VA) and the loss of veteran records that were stored on an employees laptop computer. Records contained the names and Social Security numbers of almost 27 million living veterans. According to the press, this laptop was stolen from the employees home officewhich resulted in huge remediation costs and reputation damage for the VA and federal government.

How could such a breach happen? Did the VA know that employees routinely acquire massive databases containing sensitive personal information? If so, why was an employee allowed to store unprotected files on his laptop computer? Finally, how was the VA able to know that this stolen laptop contained unprotected sensitive personal information?

In this survey we focus on all electronic information that is housed or located on data storage devices within the organizations IT infrastructure (often referred to as data at rest). In addition to primary storage devices such as networked servers, such data may reside on portable peripheral devices that from time to time connect to the network, such as laptop computers or other wireless devices (PDAs). It may also extend to USB memory sticks that can capture and transport large amounts of electronic data, potentially in a stealth mode.

Vontu and Ponemon Institute conducted the first U.S. Survey: Confidential Data at Risk to better understand the nature and extent of issues that occur because companies do not have adequate control over the storage of sensitive or confidential data at rest. Our independently conducted survey queried 484 respondents who are employed in corporate IT departments within U.S.-based business or governmental organizations.

Our survey focused on the following four issues:

1. How pervasive is the problem of unprotected confidential data at rest?
2. How do information security practitioners locate sensitive or confidential business information that resides (somewhere) within their organizations IT infrastructure?
3. What technologies, practices and procedures are employed by organizations to locate and control sensitive or confidential data at rest on peripheral or temporary devices such as laptops, PDAs and memory sticks?
4. What are the issues, challenges and possible impediments to effectively locating unprotected sensitive or confidential data residing on peripheral or temporary devices?

How Pervasive Is Laptop Loss or Theft?

Eighty-one percent of respondents report that their organizations have experienced one or more lost or missing laptop computer containing sensitive or confidential business information in the past 12-month period. Only 10 percent state that their company has not lost sensitive or confidential business information on a laptop in the past year. Nine percent report not knowing.

Not all lost laptops require notification because the data may have been encrypted or might not have revealed any personally identifiable information about data subjects (i.e., customers, consumers or employees). Despite this caveat, this finding provides evidence that the loss or theft of sensitive or confidential data at restsuch as intellectual property, business confidential documents, customer data and employee recordsis a pervasive problem that occurs within many companies.

What Kinds of Corporate Data at Rest Pose the Greatest Risk?

Organizations are increasingly worried about experiencing a data breach. With respect to their organizations current information security priorities, respondents rank the following activities as their top three priorities: protecting sensitive or confidential data in motion (transfer), managing identity and access, and protecting sensitive or confidential data at rest. With respect to data at rest, 81 percent of respondents report that it is a priority for their organizations this year, and 89 percent anticipate it will be a priority next year.

The four types of data considered to be most at risk in an organization are intellectual property, business confidential information, customer and consumer data, and employee data. It is interesting to note that most respondents believe the most serious kinds of data breaches involve the loss or theft of intellectual property and business confidential information.

Customer and consumer data and employee data are ranked third and fourth, respectively. The types of intellectual properties believed to be most at risk include electronic spreadsheets, competitive intelligence and source code. Bar Chart 1 shows the types of intellectual properties that pose the greatest threat, according to respondents in our study.

Bar Chart 1

A majority of respondents also view a corporate data breach of business confidential information to be very serious. The types of business confidential information believed to be most at risk include non-public financial statements, accounting reports, and budgets or forecasts. Bar Chart 2 shows the business confidential information that respondents say poses the greatest data risk.

Bar Chart 2What kinds of business confidential information create the greatest risk to the organization if lost or stolen?

What Storage Devices Are Most Likely to Contain Unprotected Data?

Our findings show that 60 percent of respondents believe the storage device that is most likely to contain unprotected sensitive or confidential data at rest is a PDA or comparable mobile device. More than 59 percent cite corporate laptops and 53 percent cite USB memory sticks as containing unprotected sensitive or confidential data. Desktops and shared file servers were at 36 percent and 35 percent, respectively.

What Poses the Greatest Threat to Data at Rest?

Employee negligence (42 percent) and broken business processes (33 percent) are considered the top two threats to data at rest. Respondents say the three most dangerous departments for safeguarding data at rest are: corporate information technology (62 percent), call centers (54 percent) and non-Web marketing operations.

On average, 64 percent of respondents admit that their companies have never conducted a data inventory to determine the location of customer or employee information contained in various data stores. Forty-nine percent of respondents admit that business confidential information has never been inventoried, and 48 percent report that intellectual properties have never been inventoried as a normal or recurring part of their companys IT information control process.

As shown in Bar Chart 3, more than 53 percent of respondents believe their companies would be unable to determine what sensitive or confidential information resided on a USB memory stick if it were lost or stolen. About 49 percent of respondents believe their companies would be unable to determine what data resided on a lost PDA or other comparable mobile device.

Bar Chart 3If a data device were lost or stolen, how long would it take to determine the actual information on this device? Percentage of respondants saying never :

Conclusion

Our research findings suggest that information security practitioners acknowledge the serious risks caused by not having adequate controls in place over electronic data stored throughout the enterprise. Our results also suggest that both business and governmental organizations are not taking appropriate steps to safeguard sensitive or confidential information such as intellectual property, business confidential documents, customer data and employee records.

As reported in our study, procedural controls such as data inventories and enabling security tools such as whole disk encryption should be implemented on a larger scale to reduce the risk of lost or missing data storage devices. In addition, our results strongly suggest that corporate IT and security need to focus on discovery and protection of sensitive or confidential data stored on peripheral devices, especially laptops, wireless enabled PDAs and USB memory sticks.

While these observations are preliminary, we believe further research is needed regarding the prevention and detection of data security breaches as well as the controls necessary to secure data at rest. If you have questions or comments about this research report or would like to obtain additional copies of the document, please contact us at research@ponemon.org.

Larry Ponemon is founder and chairman of Ponemon Institute. The institute is dedicated to independent research and education that advances responsible information and privacy management practices in business and government.