Knowing where sensitive data is located on an organization's computer systems would seem a prerequisite for sound IT security, but the vast majority of IT security practitioners say they can't count even on that fundamental premise, according to a Ponemon Institute study released Tuesday.
Only 16% of respondents said they knew where their organization's sensitive structured data resides, according to the State of Data Centric Security study. A mere 7% of respondents said they know the location of all sensitive unstructured data, including in emails and documents.
Not knowing where their organization's sensitive or confidential data is located was the No. 1 worry of the IT security respondents, eclipsing both hacker attacks and insider threats, according to the study.
The study, which was sponsored by data integration software provider Informatica, is based on a survey of 1,587 IT security professionals whose jobs include helping protect sensitive or confidential structured and unstructured data.
[Critical infrastructure: Phishing Scam Targeted 75 US Airports.]
The study's purpose was to determine how organizations are responding to threats to the security of their structured and unstructured data. It revealed that they mainly rely on the classification of sensitive data to protect their data assets.
When asked what technologies their organization uses to protect its structured data assets, 68% of respondents said sensitive data classification and 62% identified application-level access controls.
One of the key findings of the study was that while data security remains a continuing threat for organizations, it is not given the attention it merits.
"What this study shows is that data protection procedures at most organizations are woefully insufficient, as sensitive and confidential data continues to proliferate beyond traditional IT perimeters," said Larry Ponemon, the institute's chairman and founder.
Ponemon noted that while 79% of respondents agree that ignorance of sensitive data locations poses a serious security threat, only 51% believe that securing data is a high priority for their company.
The gap between the two suggests a lack of tools and resources, Ponemon said. "Clearly, the time is ripe for a wider adoption of automated solutions that make it easier and more economical to make data-centric security an enterprise priority," he said.
The study found that a clear majority of respondents (60%) said that their organizations are not using automated technologies to discover where sensitive or confidential data is located.
Of the 40% whose organizations are using automated tools, 64% said those tools are used to discover sensitive or confidential data located in databases and enterprise applications, but only 22% said they are used to uncover sensitive data in individual files and emails.
The most popular data security tools and capabilities are automated user access history with real-time monitoring and policy workflow automation, according to the survey.
A large majority of respondents were not confident in their ability to detect data breaches of either structured or unstructured data, the study found.
Twenty-six percent of respondents said they are confident in their ability to always detect a data breach involving structured data, while only 12% are as confident if the breach involves unstructured data.
When asked how a data breach might have been avoided, 58% of respondents said having more effective data security technologies in place, 57% cited more skilled data security personnel, and 54% said more automated processes and controls.
The best approach for organizations that are determined to discover all locations of their organizations' sensitive data is to procure a software tool that can automate the discovery, analytics, and visualization of sensitive data location and proliferation, according to the study.
"Automated sensitive data-discovery solutions are believed to reduce the risk to data and increase the security effectiveness," the study said.
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.