IT security professionals are struggling to detect and prevent data
breaches, according to the results of a recent survey of 853 U.S.
security executives conducted by the Ponemon Institute LLC.
Nearly two-thirds of security executives said they have no way
to prevent a data breach, while most respondents said their
organisations lack the accountability and resources necessary to
enforce data security policy compliance, according to the Elk
Rapids, Mich.-based think tank. The study, conducted in June and
July, was sponsored by security firm PortAuthority Technologies
Inc.
 | | | | | There's a lot of frustration at
the CIO level, because there's a feeling that the responsibilities
should be shared across the management structure more than they
are.
Larry Ponemon
Chairman and FounderPonemon
Institute |
| | | | | |
| |
|
"I don't think I expected two-thirds to say they can't prevent a
breach," said Larry Ponemon, chairman and founder of the Ponemon
Institute. "If your first line of defence says you can't win the
war, it indicates a big problem."
According to the Ponemon Institute's final report on the
survey:
- 59% of respondents said they can effectively detect a data
breach, but a staggering 63% don't think they can prevent a data
breach.
- High false positive rates of up to 35% affect the ability of
many organisations to detect a breach.
- 41% of respondents don't believe they are effectively enforcing
data security policies. The top reason given for failed enforcement
is lack of resources.
- Respondents said there's a 68% probability they can detect a
large data breach involving more than 10,000 data files.
- But they said small data breaches involving fewer than 100
files are only likely to be detected 51% of the time.
- Only 16 % of respondents believe they are invulnerable to a
data breach.
- Excessive cost was the main reason 35% of respondents said
they're not using leak-prevention technologies.
Ponemon said the findings suggest IT pros are between a rock and
a hard place because they're shouldering the lion's share of
responsibility for preventing breaches but don't have the resources
to be 100% effective.
"There's a lot of frustration at the CIO level, because there's
a feeling that the responsibilities should be shared across the
management structure more than they are," he said. "They're also
concerned about their ability to enforce security policies. Even
when someone finds the culprit behind a breach, policies aren't
enforced and mistakes are repeated in terms of what users do in
their computing habits."
But Ponemon said respondents don't see their situation as
hopeless.
"A lot of these people feel their current problem is a resource
issue, but that technology can help them solve some of the
problems," he said.
Raj Dhingra, PortAuthority Technologies's vice president of
products and marketing, said his company sponsored the study
because it wanted to pinpoint the root causes of corporate data
breaches. "We feel this study helps bring greater understanding of
these issues, while validating that the industry requires much more
than just monitoring of information leaks, but automated
enforcement to best prevent information leaks," he said.