As attacks on data rise, corporate teamwork fails
Data spills might be due to a number of technological failures, but companies are
ultimately failing to improve information security and internal collaboration,
By Matt Hines
October 26, 2007
As the TJX Companies data leakage incident seeped its way further toward becoming the
Exxon Valdez of corporate information spills this week, researchers reinforced the notion
that businesses continue to make a mess of electronic data security because they fail to
foster adequate internal communication.
A new report from Ponemon Institute -- which has produced a series of studies into
corporate data leakage over the last several years -- concluded that the various people in
charge of collecting, protecting, and managing sensitive information inside large
businesses typically don't collaborate sufficiently. Those constituencies also have widely
differing views regarding their respective roles in safeguarding the content, the report
Echoing comments made by a number of security policy experts in recent months, the
study highlights the fact that companies are likely failing to protect data based on broken
business processes -- at least as much as they may be succumbing to complex
Just as many software developers complain that their applications are left vulnerable to
attack because business teams refuse to wait long enough for the programs' underlying
code to be made secure, the results of Ponemon's survey of 3,600 IT security and
marketing executives -- located in the United States, the United Kingdom, and Germany -
- illustrate a distinct lack of organizational coordination in the name of protecting data.
For instance, only 30 percent of the marketing workers interviewed for the study said
they actually consult security teams before collecting and using sensitive information,
while 80 percent of the IT security employees surveyed indicated a belief that they are
typically involved in such decision-making.
In addition, while only 53 percent of IT security workers surveyed said their companies
have well-coordinated data protection policies, only 32 percent of those workers who
handle the information said their employers are doing an adequate job. Some 45 percent
of security workers don't feel that their data-handling rules get in the way of business
objectives, while only 21 percent of the people using the content feel that such policies
represent roadblocks to their productivity.
And in yet another blow to the perceptions of security workers, only 21 percent of the
marketers using sensitive information interviewed by Ponemon said that security teams
play a leading role in defending the content.
At the heart of the matter is the issue of poor collaboration between all the involved
parties, according to the research firm. Only 29 percent of those interviewed said their
companies' current policies would be adequate to handle a major breach within 24 hours
of its occurrence.
Based on the results, Ponemon contends that organizations with substandard data
protection collaboration policies were twice as likely as to have had a data breach within
the last two years.
Therein lays the ultimate proof of collaboration's impact on data protection, said
executives with Microsoft, which sponsored the research report.
"We expect the data threat environment to continue to evolve, and at the same time,
clearly, there's a long way to go based on where we are today," said Brendon Lynch,
director of privacy strategy at Microsoft. "There's this major issue around the degree to
which marketing professionals consult with these other involved parties; they see the
policies as getting in the way of business objectives, and they're not interacting with
security or privacy specialists based on that, which undermines the process change that
companies are already attempting to enact."
As part of its connection with the study, Microsoft is pushing the notion that companies
should merge their security and data privacy operations to simplify the process of
interaction between the various constituencies.
Some 80 percent of all respondents to the Ponemon study said that they would support
further combination of those teams to improve coordination of their data defenses.
"We feel that most companies need to be more holistic and bring these types of roles
together," said Lynch. "All of these workers are critically important to better locking
down the data, so they need to look at developing appropriate-use cases, and how to
better fulfill business objectives while maintaining protection."
The study is just the latest expert opinion to highlight the fact that despite the ever-
expanding range of security technologies available to enterprises to protect sensitive data,
many organizations could be well served to start with a review of their internal policies.
In addition to getting business teams to work more closely with security and privacy pros,
some experts contend that organizations could improve security risks quickly by merely
retrenching the settings of their network and IT systems.
Many critical infrastructure systems are installed with the idea of getting an operation up
and running first, with plans to bolster security after the fact, and never readdressed, said
Paul Williams, chief technology officer at IT security services provider Global Security
Reviewing networking gear settings to ensure that they have been sufficiently obscured,
along with tweaking the features of other systems crucial to protect external attack is
another way that companies can significantly bolster data security with little to no capital
investment, he said.
"Before you learn how to defend a network, you have to take a walk on the wild side and
see how you can break in yourself," said Williams. "Most networks can be made more
secure by simply taking the time to go back and see how things were installed and
whether or not the settings were changed in a way that promotes security; people
typically look to technology solutions to address these problems, but they could begin
helping themselves significantly at relatively no cost."
In a presentation delivered at the Gartner IT Symposium earlier this month, analyst Neil
MacDonald told attendees of the show that they could save money on their security
projects if they continue to push for a more thorough, process-driven approach to data
protection on a high level within their organizations.
"This can't be about managing a set of projects, it has to be about improving process,"
MacDonald said. "At the end of the day, the idea of tagging every piece of data in an
enterprise for the sake of protecting it is unfeasible; it sounds great on paper, but the
problem is a monumental effort with new information coming in all the time, it's not a
process that's sustainable."
Matt Hines is a senior writer at InfoWorld.