Companies are not moving quickly to deploy protections
and adopt procedures to cope with a futuredata security breach, according to a
survey of more than 700 IT executives and security
officers.
 | | | | | If you're not implementing
encryption you're just not doing your job.
Larry Ponemon
founder and chairmanPonemon
Institute |
| | | | | |
| |
|
Of those surveyed, 85% of respondents said their business had
experienced a data security breach. Despite the frequency of such
security failures, 46% of those surveyed said their businesses
didn't implement encryption solutions on portable devices even
after suffering a data breach.
"We're dealing with lots of small breaches," said Larry Ponemon
founder and chairman of the Ponemon Institute. "Data breaches have
been a common event since organizations have been managing large
amounts of data with technology, but middle and upper levels of
management were removed from the daily event of a data breach."
The survey was conducted by the Ponemon Institute and
commissioned by Scott & Scott, a Dallas-based law firm that
handles data breach cases. Called "The Business Impact of Data
Breach," the survey examines the responses of more than 700
US-based C-level executives, managers, and IT security officers in
mid-size to large businesses spanning various industries.
Business executives have been keeping a close eye on TJX, which
reported the
largest data breach in history with the loss of more than 45
million credit and debit card numbers. While the company had
encryption in place, the breach was the result of
weak Wi-Fi security measures, according to investigators.
Experts say there are many lessons to be learned from the TJX data
security breach.
The survey found that only 43% of respondents said they had an
incident response plan in place and 82% failed to consult with
legal counsel before responding to an incident.
"The legal landscape governing data privacy is complex with 35
separate state regulations and numerous federal regulations that
may be applicable to a particular incident," said Robert Scott,
managing partner at Scott & Scott.
Nearly all the respondents said they were required to notify
those whose information was lost or stolen because of state breach
notification laws. The organizations sent blanket notifications,
rather than precise notifications, according to the survey.
In many cases notification could have been avoided if encryption
was in place. Ponemon said that encryption is in most cases the
only answer to securing sensitive corporate and customer data. The
high costs and performance issues attributed by many IT pros to
encryption outweigh the risk of a major data security breach,
Ponemon said.
"I think that you aren't a good practitioner if you don't
implement encryption in areas where you have critical or sensitive
information," Ponemon said. "If you're not implementing encryption
you're just not doing your job."
In addition, the survey found that organizations that suffered a
data security breach employ substantially more IT and data security
measures than organizations that have not experienced a data
breach.
Ponemon said it's unclear if organizations are reporting more IT
and security measures in place because they spend more on security
after a data breach has already occurred. Businesses with a larger
IT staff may be more capable to discovering a breach, he said.
"We think a breach is motivating a behavior change," Ponemon
said. "Organizations are making small steps and improvements after
the fact."