Government // Cybersecurity
News
6/24/2014
12:32 PM
Connect Directly
RSS
E-Mail
50%
50%

Sensitive Data Protection Bedevils IT Security Pros

Most organizations don't know where their sensitive structured or unstructured data resides, says new Ponemon study.

Knowing where sensitive data is located on an organization's computer systems would seem a prerequisite for sound IT security, but the vast majority of IT security practitioners say they can't count even on that fundamental premise, according to a Ponemon Institute study released Tuesday.

Only 16% of respondents said they knew where their organization's sensitive structured data resides, according to the State of Data Centric Security study. A mere 7% of respondents said they know the location of all sensitive unstructured data, including in emails and documents.

Not knowing where their organization's sensitive or confidential data is located was the No. 1 worry of the IT security respondents, eclipsing both hacker attacks and insider threats, according to the study.

The study, which was sponsored by data integration software provider Informatica, is based on a survey of 1,587 IT security professionals whose jobs include helping protect sensitive or confidential structured and unstructured data.

[Critical infrastructure: Phishing Scam Targeted 75 US Airports.]

The study's purpose was to determine how organizations are responding to threats to the security of their structured and unstructured data. It revealed that they mainly rely on the classification of sensitive data to protect their data assets.

When asked what technologies their organization uses to protect its structured data assets, 68% of respondents said sensitive data classification and 62% identified application-level access controls.

One of the key findings of the study was that while data security remains a continuing threat for organizations, it is not given the attention it merits.

"What this study shows is that data protection procedures at most organizations are woefully insufficient, as sensitive and confidential data continues to proliferate beyond traditional IT perimeters," said Larry Ponemon, the institute's chairman and founder.

Ponemon noted that while 79% of respondents agree that ignorance of sensitive data locations poses a serious security threat, only 51% believe that securing data is a high priority for their company.

The gap between the two suggests a lack of tools and resources, Ponemon said. "Clearly, the time is ripe for a wider adoption of automated solutions that make it easier and more economical to make data-centric security an enterprise priority," he said.

The study found that a clear majority of respondents (60%) said that their organizations are not using automated technologies to discover where sensitive or confidential data is located.

Of the 40% whose organizations are using automated tools, 64% said those tools are used to discover sensitive or confidential data located in databases and enterprise applications, but only 22% said they are used to uncover sensitive data in individual files and emails.

The most popular data security tools and capabilities are automated user access history with real-time monitoring and policy workflow automation, according to the survey.

A large majority of respondents were not confident in their ability to detect data breaches of either structured or unstructured data, the study found.

Twenty-six percent of respondents said they are confident in their ability to always detect a data breach involving structured data, while only 12% are as confident if the breach involves unstructured data.

When asked how a data breach might have been avoided, 58% of respondents said having more effective data security technologies in place, 57% cited more skilled data security personnel, and 54% said more automated processes and controls.

The best approach for organizations that are determined to discover all locations of their organizations' sensitive data is to procure a software tool that can automate the discovery, analytics, and visualization of sensitive data location and proliferation, according to the study.

"Automated sensitive data-discovery solutions are believed to reduce the risk to data and increase the security effectiveness," the study said.

NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

William Welsh is a contributing writer to InformationWeek Government. He has covered the government IT market since 2000 for publications such as Washington Technology and Defense Systems. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
6/28/2014 | 6:17:48 AM
Re: IT security should step up
It is a fact that most organizations don't know where their sensitive structured or unstructured data resides, says new Ponemon study. This is a very sensitive issue with the ongoing current theft and malicious activities revolving around delicate data that goes on. It is important that organizations keep track of all their data using IT security measures that are latest in the market. IT security measures should be upgraded so as to be able to secure the users' sensitive and delicate data.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
6/28/2014 | 6:17:48 AM
Re: IT security should step up
It is a fact that most organizations don't know where their sensitive structured or unstructured data resides, says new Ponemon study. This is a very sensitive issue with the ongoing current theft and malicious activities revolving around delicate data that goes on. It is important that organizations keep track of all their data using IT security measures that are latest in the market. IT security measures should be upgraded so as to be able to secure the users' sensitive and delicate data.
William Welsh
100%
0%
William Welsh,
User Rank: Strategist
6/26/2014 | 2:55:00 AM
Responses to "what keeps you up at night"?
When asked what keeps them up at night, 57% of respondents said not knowing where confidential data is located, 51% said migration to new platforms, 50% said temporary worker or contractor mistakes, 42% said third party or outsourcer management of data, 24% percent said migration to cloud, 23% said hackers, 21% said noncompliance with laws or regulations, 16% said broken business processes, 10% said employee mistakes and 6% said malicious employees. Each respondent was allowed three responses.  
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.