Analyse your data: if you do not, you cannot say what to
protect, how much to spend or how to do it.
That is the message visitors will hear at the
RSA
security conference that opens in San Francisco next week.
Speaking at a show briefing, Nick Selby, an analyst with the
451 Group, said,
"Companies that cannot classify their data cannot control it."
Recent research by his company covering more than 300 global
firms had shown only 37% had tried to see what data they actually
had and where they stored it. Only 20% had looked to see where,
with whom and how that data was exchanged, he said.
"Some 25% had a data classification scheme, but enforcing it was
a complete mess," he said. This allowed increasingly sophisticated
and well-funded attackers to exploit gaps to go after sensitive,
crucial information. Target data included financial and customer
data as well as intellectual property such as designs and formulas,
he said.
Paul Stamp, an analyst with
Forrester Research, said if
some information was vital to a company, it would leak accidentally
or come under attack. "Every firm is unique in what data are
crucial to them," he said. "If they cannot quantify the risks of
losing them or having them compromised, they cannot not find the
right tools to protect them."
Selby said, "By volume, 99% of data breaches are caused by
stupidity." He said companies need to develop a security awareness,
starting at the top, so that staff do not act rashly.
Companies had to back up security training with practical and
enforced usage policies to change behaviours, he said. Tools such
as identity and access management systems could help monitor and
control behaviour.
Threats from "the cloud" or cyberspace, such as port sniffing,
code injection, Trojans and phishing, could be defeated by greater
use of code-checking software and intrusion detection and
prevention tools, he said.