Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/2/2009
03:15 PM
Art Wittmann
Art Wittmann
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Practical Analysis: Why Aren't We Better At Protecting Data?

Knowing where your peers have failed to protect data is the first step in crafting an effective data protection policy.

We're not as good as we should be at handling sensitive data. One strong data point toward that conclusion comes from the watchdog site Privacy Rights Clearinghouse (www.privacyrights.org), which has been doing its best to track both the cause and effect of data breaches since 2005. Since then, the site has cataloged more than 262 million compromised records. Some are more severe than others, and some have been handled better than others, but that grand total should serve to verify my basic thesis: As a group, we aren't very good at this.

There's no particular group of institutions that fare worse on this list than another-- banks, state governments, federal agencies, educational institutions, insurers, healthcare organizations, and all other manner of businesses show up. What's striking about the list is that a large number of breaches result from simple theft, and from either poorly devised or poorly implemented policies. For these sorts of breaches, tighter regulation typically isn't the answer, and technology is only part of the answer.

Clearly, if systems with sensitive data are stolen from public places--one of the more common methods for exposures--there are policy issues, training issues, and technology issues at hand.

Do your policies allow for users taking significant numbers of sensitive records outside of the relative safety of your corporate walls? Maybe that's not such a good idea. If it's truly necessary, are your users adequately and regularly trained in how to keep that data safe, and have you employed the right technologies--like encryption--that will allow you to put some technical muscle behind your policy?

In our recent survey and report (available at dataprotection.informationweek.com) on data loss prevention, we found organizations still applying relatively the same policies to all users. At the same time, well over half have not yet implemented any form of encryption on mobile devices. Let's face it, if you're still more worried about whether Ed in accounting changes his password monthly to something longer than 12 characters with alpha, numeric, and punctuation symbols and is otherwise impossible for Ed to remember, while your sales team is running around with unencrypted client data on their laptops, something is very wrong with your data protection policies. To put it plainly, you're doing what's easy and cheap for you, but not what's in the best interest of the business and its customers.

Other discontinuities between policy and risk aren't hard to find. Poll respondents worried most about e-mail as a mechanism for losing sensitive data (47%), followed by removable media (32%); however, almost half don't encrypt sensitive data on removable media. It's a disaster waiting to happen, and the only thing worse than losing sensitive data is losing it and not knowing that it's gone. Here, too, it's a matter of policy, training, and technology. Log analysis software along with a policy and practice of actually using it is critical for protecting sensitive data.

Common sense and awareness of risks will go a long way in guiding DLP policies.

Art Wittmann is director of InformationWeek Analytics. Write to him at [email protected].

To find out more about Art Wittmann, please visit his page.

Register to see all reports at InformationWeekAnalytics.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
CVE-2020-14260
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
CVE-2020-14305
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...