Practical Analysis: Why Aren't We Better At Protecting Data?

We're not as good as we should be at handling sensitive data. One strong data point toward that conclusion comes from the watchdog site Privacy Rights Clearinghouse (www.privacyrights.org), which has been doing its best to track both the cause and effect of data breaches since 2005. Since then, the site has cataloged more than 262 million compromised records. Some are more severe than others, and some have been handled better than others, but that grand total should serve to verify my basic thesis: As a group, we aren't very good at this.

There's no particular group of institutions that fare worse on this list than another-- banks, state governments, federal agencies, educational institutions, insurers, healthcare organizations, and all other manner of businesses show up. What's striking about the list is that a large number of breaches result from simple theft, and from either poorly devised or poorly implemented policies. For these sorts of breaches, tighter regulation typically isn't the answer, and technology is only part of the answer.

Clearly, if systems with sensitive data are stolen from public places--one of the more common methods for exposures--there are policy issues, training issues, and technology issues at hand.

Do your policies allow for users taking significant numbers of sensitive records outside of the relative safety of your corporate walls? Maybe that's not such a good idea. If it's truly necessary, are your users adequately and regularly trained in how to keep that data safe, and have you employed the right technologies--like encryption--that will allow you to put some technical muscle behind your policy?

In our recent survey and report (available at dataprotection.informationweek.com) on data loss prevention, we found organizations still applying relatively the same policies to all users. At the same time, well over half have not yet implemented any form of encryption on mobile devices. Let's face it, if you're still more worried about whether Ed in accounting changes his password monthly to something longer than 12 characters with alpha, numeric, and punctuation symbols and is otherwise impossible for Ed to remember, while your sales team is running around with unencrypted client data on their laptops, something is very wrong with your data protection policies. To put it plainly, you're doing what's easy and cheap for you, but not what's in the best interest of the business and its customers.

Download our
Risk Intolerant: Defense in Depth And the Rise of Data Loss Prevention

>> Register to see all reports <<

Other discontinuities between policy and risk aren't hard to find. Poll respondents worried most about e-mail as a mechanism for losing sensitive data (47%), followed by removable media (32%); however, almost half don't encrypt sensitive data on removable media. It's a disaster waiting to happen, and the only thing worse than losing sensitive data is losing it and not knowing that it's gone. Here, too, it's a matter of policy, training, and technology. Log analysis software along with a policy and practice of actually using it is critical for protecting sensitive data.

Common sense and awareness of risks will go a long way in guiding DLP policies.

Art Wittmann is director of InformationWeek Analytics. Write to him at [email protected].

To find out more about Art Wittmann, please visit his page.

Register to see all reports at InformationWeekAnalytics.com.