Corporate Data Security Too Lax, Getting Worse
Companies aren't enforcing policies and tools for sharing sensitive information a problem that's getting worse, a new study has found.
Sixty-five percent of 134 information-technology executives surveyed at the RSA 2011 security conference in San Francisco in February have no visibility into files and data leaving their organizations, according to the study by Lexington, Mass.-based Ipswitch File Transfer.
Part of the problem stems from employees using external devices in the workplace, Ipswitch's study determined. The company makes and sells file-transfer software for consumers and businesses.
And 57 percent save work files to external devices at least once a week, an 11 percent increase over 2010, the survey noted.
Failing to enforce information-sharing policies is just as risky as never having documented the policy in the first place, said Hugh Garber, product marketing manager at Ipswitch File Transfer.
One of the problems lies within companies not providing tools for employees to easily and securely move confidential files. Organizations can't enforce policies if they don't provide employees with alternative means to stay productive and share information.
More than 75 percent of the IT executives surveyed use e-mail accounts to send classified files as attachments including payroll, customer data and financial information. Nearly 60 percent do it every week, the survey found.
Twenty-six percent of employees use personal instead of work e-mail accounts to hide from management the fact that they're transferring files off-site.
More than 40 percent of respondents ignored the information-security implications of last fall's WikiLeaks data breach. Only 16 percent took steps, including using new policies and tools, to protect against similar breaches, according to the survey.
Slightly less than 30 percent of company executives said they'd talked about the implications of WikiLeaks with their employees, but admitted that it didn't really change the way they share and protect information.
While many companies are still struggling to implement processes and technologies to protect business-critical information, executives say that they're making it a priority for 2011.
Of the IT executives surveyed at RSA this year:
40 percent said protecting sensitive information would be a top priority in 2011.
25 percent agreed that securing cloud computing would be important.
20 percent said that managing the flow of information, both internally and externally, is critical.
Nearly 55 percent of IT executives said their companies provide but do not enforce policies and tools about sharing sensitive information.
Fixing the problem
Policy enforcement needs to start at the top. Not only should management lead by example, but when policies are broken, they must follow through with action, Garber said. Management also needs to do a better job educating employees on the risks of losing confidential information and creating an enterprise-wide culture that values information security.
Garber said it's scary that so many companies lack visibility into the files and documents that are moving around and leaving their organizations.
How can an organization protect information that they don't know even exists? Clearly, increased focus is needed to first identify sensitive data and then protect it, he said. These critical information security components should be carefully baked into an organization's security, governance and compliance initiatives.
But Steve Coplan, an analyst at the New-York-based 451 Group, said it's easy to point the finger at enterprises and say they need to have better security policies in place yet those enterprises also need to have the tools to implement those policies in a cost-effective way.
It's not so much about what policies are or aren't in place at enterprises it's really around how easy it is to resolve that or address that, Coplan said. What we've seen is if you look at Dropbox or various other [consumer] file-sharing technologies, a lot of them are designed to be a lot easier to use for the end user and low cost.
They [companies] can use a secure file-transfer product, but generally they're difficult to use and it's difficult to enroll people in them. And it's difficult to [use them] to share across domains, between partners, and between customers and generally they're pretty expensive. Shifting [it] on to the enterprise saying they need to define the policies better is a little misleading.