Is Security a Myth?

By Eileen Feretic  |  Posted 2009-03-31

Recent surveys and reports about information security—or the lack of it—are discouraging, to put it mildly. Consider the following statistics:

• In 2008, there were 656 breaches of personal data, up 47 percent from 2007, according to a report from the Centre for Information Policy Leadership at Hunton & Williams.

• A recent study by the Ponemon Institute found that more than 88 percent of 2008 data breaches resulted from negligence. (See “The Cost of Data Breaches,” .)

• “The security measures that most financial institutions and other service providers have in place are proving inadequate in the face of the new cyber-crime attacks against customer accounts,” stated a Gartner release.

• More than three out of 10 respondents to a survey by PriceWaterhouseCoopers couldn’t answer basic questions about risks to their company’s information.

• The number of new malicious Web sites in the fourth quarter of 2008 surpassed by 50 percent the total number of these sites in 2007, said the 2008 IBM X-Force Annual Trend and Risk Report.

• About 7.5 percent of U.S. adults lost money in 2008 because of financial fraud, largely because of data breaches, said a recent Gartner survey.

• According to a report from Credant Technologies, 99 percent of the people polled use their phones to do some business, and 80 percent store information on their phones that could be used to steal their identity.

• A recent survey conducted by SHARE reported that 18 percent of the IT managers polled said security is one of the greatest challenges to virtualization.

• In an IntraLink survey, 48 percent of the finance executives polled said their company’s current methods of exchanging documents with external parties “may not be secure enough.”

This sample of security reports is sobering. And there are many other surveys out there that reveal a shocking lack of security despite the huge sums of money spent to safeguard information. For years, dollars, technology, people and processes have been thrown at this problem, but, rather than abating, the challenge seems to increase each year.

Is information security a losing battle, or can organizations actually turn it around?

For our cover story, “Is Your Information Really Safe?” Ericka Chickowski spoke with consultants, researchers and IT managers to get an answer to that question. The response? Guarded optimism. The recommendation? Take an information-centric risk management approach.

The consensus among the experts interviewed is that technology, though a big part of the solution, is not enough. The other critical components are people and policies.

Let’s face it, people are a big part of the problem. And I’m not just talking about hackers, cyber-criminals and disgruntled workers. I’m also talking about employees who either don’t understand the importance of taking security precautions or don’t know what to do.

One of the surveys cited provides a good example: More than 88 percent of 2008 data breaches mentioned in the Ponemon study resulted from negligence. Not employee malice or criminal intent—negligence. Fortunately, that’s a problem that can be fixed with appropriate education and clear-cut policies that include strong, consistent enforcement.

Consider another statistic mentioned above: Of the people polled by Credant, 99 percent use their phones for business, and 80 percent store information that could be used to steal their identity. When employees use their personal mobile devices to conduct business, they create a huge security risk, as it’s difficult to control devices the organization doesn’t own. Here again, education and policies with an enforcement component can provide at least a partial solution to this problem.

Unfortunately, in times of tight budgets, there often isn’t money available for employee education. But, when it comes to security training, cutting back is false economy. The cost of recovering from one data breach was $6.6 million last year, according to the Ponemon study. Think how much security training you could do with just a portion of that amount. And think how much you could save by avoiding a data breach.

So, keep that in mind when you put together your security policies and technology initiatives. And don’t skimp on education. It may be the only way to win this battle.