[ISN] Survey: 81% of U.S. firms lost laptops with sensitive data in the past year

From: InfoSec News (alerts@private)
Date: Thu Aug 17 2006 - 01:33:13 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002493

By Linda Rosencrance 
August 16, 2006
Computerworld

Loss of confidential data -- including intellectual property, business 
documents, customer data and employee records -- is a pervasive problem 
among U.S. companies, according to a survey released yesterday by 
Ponemon Institute LLC and Vontu Inc., a San Francisco-based provider of 
data loss prevention products.

Eighty-one percent of companies surveyed reported the loss of one or 
more laptops containing sensitive information during the past 12 months, 
according to the survey, which queried nearly 500 information security 
professionals.

One of the main reasons corporate data security breaches occur is 
because companies don't know where their sensitive or confidential 
business information resides within the network or enterprise systems, 
Larry Ponemon, chairman of the Ponemon Institute, said in a statement.

"This lack of knowledge, coupled with insufficient controls over data 
stores, can pose a serious threat for both business and governmental 
organizations," Ponemon said. "Moreover, the danger doesn't stop at the 
network, but includes employees' and contractors' laptop computers and 
other portable storage devices."

Ponemon, whose research firm is based in Elk Rapids, Mich., is also a 
columnist for Computerworld.

Other findings of the study include the following:
    
* Handheld devices and laptops ranked highest among storage devices that 
  posed the greatest risk for sensitive corporate data, followed by 
  Universal Serial Bus memory sticks, desktop systems and shared file 
  servers.
    
* Sixty-four percent of companies surveyed reported that they have never 
  conducted an inventory of sensitive consumer information.
    
* Sixty-four percent also reported never having taken an inventory of 
  employee data.
    
* Eighty-one percent of respondents reported that protecting sensitive 
  "data at rest" is a priority this year, and 89% predicted that it will 
  be a priority next year. The survey defines data at rest as all 
  electronic information found on storage devices within an 
  organization's IT infrastructure.

Asked "How long would it take to determine what actual sensitive data 
was on a lost or stolen laptop, desktop, file server or mobile device?" 
the most frequent answer was "never," according to the survey.

More than 53% of respondents believed that their companies would be 
unable to determine what sensitive or confidential information resided 
on a USB memory stick if it was lost or stolen.

And approximately 49% of respondents said that their companies would be 
unable to determine what lost data resided on a handheld or comparable 
mobile device, according to the survey.

"Corporations are clearly struggling with the challenges of identifying 
and protecting sensitive data, as well as developing successful 
strategies for securing confidential information stored among the myriad 
devices that make up today's data networks," said Ponemon. "Our findings 
point to the shockingly high risk to both business and consumers of 
undiscovered confidential data, but we believe that the data also serve 
as a compass to help point organizations toward effective solutions to 
this vexing problem."

According to Pete Lindstrom, an analyst at Spire Security LLC in 
Malvern, Pa., organizations can take the following steps to protect 
sensitive data.

   1. Identify your most significant data elements. That's often 
      personal information, but it could also be intellectual property, 
      financial data or something else.
   
   2. Determine where this data exists on your network, and where it is 
      most likely to leak. Laptops are the typical answer here, but 
      e-mail is another possibility. And some people are concerned about 
      backup tapes or laptop outputs such as USB drives and CDs.
   
   3. Monitor the network and possibly the endpoint for this 
      information, and take appropriate action. In the beginning, this 
      is simply logging. You could also prevent/block it, or even better 
      encrypt it.
   
   4. Encrypt data in the places where it is most likely to rest.
   
   5. Plan your rights management strategy now. Data is ubiquitous.

In the future, organizations will have another option for data 
encryption, said Stephen Northcutt, president of the SANS Institute, a 
Bethesda, Md.-based cybersecurity training and certification company.

"The newest laptops and desktops are shipping with something called the 
Trusted Platform Module, and it's a chip that's designed for secure 
storage so it was built to play very nicely with [public-key 
infrastructure]," Northcutt said. "It's really a thing of the future. 
The laptops are shipping now, the software is available now, but the 
implementations don't exist right this second.

"We think this will really be the final answer," he said. "In the 
meantime, [organizations] are going to have to go with a third-party 
solution to [encrypt their data]."


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Aug 17 2006 - 08:16:39 PDT