Security: Don’t Spring a Data Leak

Steven Zimmerman, vice president of technology risk management for Regions Financial Corp., a financial services company in Birmingham, Ala., with $85 billion in assets, used to get challenged about the necessity of certain security projects he presented to Regions’s executives.

That hasn’t happened much in the last few months.

“Before, I used to be seen as a hindrance,” Zimmerman says. “What’s good now is that the business units are really realizing the importance of security.”

No kidding. Recent large-scale security breaches have spooked corporations with the very real prospect of a single employee’s laptop inflicting major damage—to the bottom line and an organization’s reputation.

The most notorious snafu: The U.S. Department of Veterans Affairs disclosed in May that it lost data on 26.5 million veterans and their spouses plus 2.2 million active military members when a worker’s computer was stolen out of his home. Other organizations that have reported thefts of computers with sensitive data include Aetna, American International Group, Ernst & Young, Equifax, Union Pacific and the YMCA.

Even the Federal Trade Commission, responsible for enforcing privacy laws, disclosed in June that a laptop with unencrypted private data on 110 people was stolen from a car used by its attorneys.

From February 2005 to mid-June 2006, such security breaches have exposed information on more than 88 million individuals, according to the Privacy Rights Clearinghouse, a San Diego privacy advocacy group.

“Everyone spends a lot of time focusing on external threats,” says Gartner analyst Avivah Litan, “but most of the threats are either from insiders or employees who take data home. It has nothing to do with criminals hacking into your databases.”

Litan says many organizations are unprepared for accidental or deliberate data breaches: She estimates that businesses today encrypt less than 10% of all sensitive customer data. A survey this year by research firm Ponemon Institute, sponsored by encryption vendor PGP, found that 4.2% of companies use encryption across their entire enterprise (as opposed to only in select departments).

Litan predicts that companies will be fast-tracking security projects to prevent information assets from leaking out, including deploying software that stops any sensitive data from being e-mailed or copied to any outside party or device.

“Pretty soon, there’s not going to be any employee privacy—everything is going to be monitored,” she says.

NEXT: Fear Factors