Survey: Organizations Not Doing Enough to Secure Data

A new survey conducted by Insight Advantage and sponsored by IT security company Workshare, based in San Francisco, shows that organizations are not doing enough to prevent IT data breaches and the loss of "sensitive" data.

The survey is based on interviews with 359 executives responsible for security, compliance, risk management and legal issues at large organizations in North America.

Looking the Other Way

The findings included:

• A total of 94 percent of respondents reported having no visibility into how many e-mail messages containing confidential or private information were leaving their organization each month or believed that some leaks were occurring.
• Only 6 percent reported no information leaks.
• A total of 80 percent of participants reported having information leaks -- through e-mail or other electronic channels such as Blackberrys or HTTP links -- or admitted to no visibility to leaks that occurred within their organization last year.
• About 17 percent were afraid to know how many leaks they had.

Most surprisingly, a total of 57 percent of companies don't have a specific method for enforcing data privacy and document security policies, said Dave McKee, a spokesperson for Workshare.

There are behind-the-scenes reasons for this -- including the perception among many in corporate IT departments that a one-size-fits-all security solution would be developed, someday, by some developer.

'Naive' Thinking

"Content security adoption has been slow because the expectation of a magic 'bump-in-the-wire' solving challenging information protection problems was completely naive," said Peter Christy, a principal at Internet Research Group, a leading market analysis firm, based in Los Altos, Calif.

"An in-depth examination of the real issues suggests quite different approaches in which the system serves to provide clear and immediate feedback to individuals," Christy continued. "This both alerts and prevents serious problems, but more importantly, provides on-going education and training on these important issues. Security is only effective if it is part of doing the job; it can't be bolted on as an afterthought."

It is not just small companies who are laggards with security measures. The world's biggest employer, the U.S. government, has performed poorly in this area of content security. In fact, the government has set a deadline next month for all government agencies to encrypt sensitive data after the embarrassing theft of millions of veterans' personal information, but experts warn a quick technology fix will not cure security problems.

Encryption and other security technology may help ease the problem, somewhat, but overall poor handling of data and equipment, inadequate training and the red tape-filled government bureaucracy are seen as the primary causes of vulnerability there.

A holistic approach is needed to help small, and big, customers alike secure their content, according to Christy. Such a security system should be integrated, entirely, into the networks of corporations, so it will provide comprehensive security, and not just examine outbound e-mail messages, he explained.

Key Elements

"Immediate and pre-emptive user feedback -- that is a critical element of the actual problem solution," Christy said.

That does not, however, mean that companies are always going to have to spend themselves into oblivion to make themselves secure. In fact, firms that have reached a high level of IT security practice maturity can actually safely reduce the percentage of security spending in their IT budget to an average of "between three and four percent," according to research and advisory firm Gartner (NYSE: IT).

Those firms that have had historically underinvested in security or are in highly regulated environments -- about 90 percent of all organizations -- may have to spend at least eight percent of their IT budget on security.

"It's a matter of implementing the technology efficiently and effectively so resources can be focused on new threats," said Ant Allan, research vice president at Gartner. "Organizations that are still impacted by everyday routine threats must ramp up to become more mature in their approach."

Only 10 percent of organizations can be classified as having achieved a high level of IT security maturity today, increasing to 20 percent by 2008, according to Gartner. That is much improved from last year -- in which just five percent of IT budgets were set aside for security. As a result, many organizations will "continue to invest aggressively in IT security" for the next few years, Gartner said.