There's no particular group of institutions that fare worse on this list than another-- banks, state governments, federal agencies, educational institutions, insurers, healthcare organizations, and all other manner of businesses show up. What's striking about the list is that a large number of breaches result from simple theft, and from either poorly devised or poorly implemented policies. For these sorts of breaches, tighter regulation typically isn't the answer, and technology is only part of the answer.
Clearly, if systems with sensitive data are stolen from public places--one of the more common methods for exposures--there are policy issues, training issues, and technology issues at hand.
Do your policies allow for users taking significant numbers of sensitive records outside of the relative safety of your corporate walls? Maybe that's not such a good idea. If it's truly necessary, are your users adequately and regularly trained in how to keep that data safe, and have you employed the right technologies--like encryption--that will allow you to put some technical muscle behind your policy?
In our recent survey and report (available at dataprotection.informationweek.com) on data loss prevention, we found organizations still applying relatively the same policies to all users. At the same time, well over half have not yet implemented any form of encryption on mobile devices. Let's face it, if you're still more worried about whether Ed in accounting changes his password monthly to something longer than 12 characters with alpha, numeric, and punctuation symbols and is otherwise impossible for Ed to remember, while your sales team is running around with unencrypted client data on their laptops, something is very wrong with your data protection policies. To put it plainly, you're doing what's easy and cheap for you, but not what's in the best interest of the business and its customers.
Common sense and awareness of risks will go a long way in guiding DLP policies.
Art Wittmann is director of InformationWeek Analytics. Write to him at [email protected].
To find out more about Art Wittmann, please visit his page.
Register to see all reports at InformationWeekAnalytics.com.