Study: Many believe data thefts can't be prevented

Lack of resources cited for difficulties in stopping data breaches

Fresh on the heels of a string of highly publicized, corporate data breaches, 63% of respondents to a new data security study said they don't believe they can prevent such breaches.

"This group came out much, much more negative than I ever expected," said Larry Ponemon, the founder and chairman of the Ponemon Institute LLC, an Elk Rapids, Mich.-based firm that looks at information and privacy management practices in business and government. "They said they're bad at detecting [breaches], but even worse at preventing [breaches]."

The 11-page study (PDF format), "National Survey on the Detection and Prevention of Data Breaches," which was released yesterday, is based on responses from 853 IT professionals, including senior executives, information security managers and others. The study was sponsored by PortAuthority Technologies Inc., a Palo Alto, Calif.-based vendor of information leak prevention software.

The study also found that 41% of respondents said their companies are not effective in enforcing data security policies because of a lack of corporate resources.

"A general frustration came out that they don't have the tools or the resources to do the job, and that these responsibilities have been pushed into their laps" but they haven't been given extra help, equipment, software or other tools, said Ponemon, who is a Computerworld.com columnist. "Somehow they're being held responsible for knowing when a breach occurs."

About 66% of the respondents said their companies use hardware or software to help detect or prevent data breaches, but the remaining respondents said their companies don't use such tools because of their high costs.

Some 16% said their companies believe that their manual security procedures are enough and that their company is not vulnerable to a data breach.

"I think a lot of these companies are completely out of control ... in protecting sensitive or confidential business information," Ponemon said. "There's a lot of room for improvement."

Other highlights of the study include the following:

  • 59% of those surveyed said they believe they can effectively detect a data breach using available IT tools and procedures.
  • Respondents reported a 68% probability of detecting a large data breach (of more than 10,000 data files), while they said small data breaches (fewer than 100 files) are likely to be detected only 51% of the time.

Jon Oltsik, a security analyst with Enterprise Strategy Group in Milford, Mass., said the Ponemon figures mirror statistics that have been collected by his company.

"The 41% who say they don't have the resources [to effectively fight the problem] -- that I completely believe," Oltsik said. "A lot of companies are kind of slow" in dealing with such problems, he added.

Oltsik said his data shows that the biggest risk for data breaches is the use of laptop computers, which can be easily lost or stolen.

Monitoring a company's data use policies is important, he said, but that's difficult to do because of employee training needs, turnover and other issues. "No one does that kind of stuff," he said.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon