Yesterday the Ponemon Institute and PortAuthority Technologies released a new study, "National Survey on the Detection and Prevention of Data Breaches" that is an interesting read.
Representatives from 853 U.S.-based organizations took a web-based survey for the following issues:
"1. How do information security practitioners respond to data breaches?
2. What technologies, practices and procedures are employed by organizations to detect and prevent data breaches?
3. What are the issues, challenges and possible impediments to effectively detecting and preventing data breaches?
4. How do organizations attempt to enforce compliance with its data protection policies?"
You can download the full report, which has much, much more informaton than the few stats I reference here, from the PortAuthority site.
Some findings that caught my eye…
Only 66% of the respondants use technology to detect and/or prevent data breaches.
The following were the reasons given by the organizations who indicated they do *NOT* use technologies to detect and/or prevent data breaches:
35% Technology-based solutions are too expensive.
16% Existing manual procedures are more than adequate for our company’s data breach detection and prevention activities.
16% Our company is not vulnerable to data breaches.
12% The false positive rate of existing technology-based solutions is too high.
8% Technology-based solutions are too difficult to implement.
6% Our company does not have the in-house expertise to utilize these solutions.
5% Existing technology-based solutions are not able to detect or prevent breaches with a high level of assurance.
2% Detecting breaches is not a priority for our company’s senior executive team.
In response to the question, ‚ÄúIn addition to technology solutions, what other manual practices and procedures does your organization rely upon to detect and prevent data leaks?‚Äù the respondents indicated:
81% Policies, including standard operating procedures (SOPs)
71% Close supervision and management of all data handling functions
65% Training and communication programs
40% Rigorous background checks for all employees who handle sensitive or confidential information
30% Independent audits
29% Self assessments by business or functional units
Some of these reasons are somewhat surprising, and some are quite risky for businesses. Particularly relying upon manual practices alone.
Manual practices are certainly necessary and all listed are very important, but manual procedures alone cannot detect and/or prevent all the many types of data breaches that have occurred at increasingly alarming rates. Technology solutions are necessary to enhance and support the manual efforts. How will manual procedures alone prevent keyloggers from being installed through covert methods and channels? How will manual methods alone prevent an employee from accidentally sending personal information out through email within the message or as an attachment? How will manual methods alone prevent a database of customer information from being accidentally posted to a website? And so many other types of incidents that have actually occurred‚Ä¶many times‚Ä¶that have resulted in significant business impact and disruption of individuals‚Äô lives through identity fraud, theft and other cybercrime.
I believe strongly that the human factor is the weakest link in information security, but I also believe strongly that technology must also be used to enhance the human factor where training, policies, and the other human methods just cannot suffice on their own as dependable detection or prevention solutions.
In response to the question, ‚ÄúWhat technologies does your organization use to detect data breaches?‚Äù the participants gave the following responses:
39% Content filtering technologies
28% Keyword monitors
25% Data leak detection and prevention
23% Intrusion detection systems (IDS)
15% Packet sniffers
9% Digital rights management solutions
It surprised me that IDS was only used by 23%. I know a growing number of organizations are using content filters and keyword scanners, but it is very surprising if they are actually used more than IDS and ‚ÄúOther‚Äù methods. I wonder too about how the survey was worded. Some of these terms are somewhat ambiguous, some subjectively redundant with some of the other terms, and depending on the respondent’s background they may not have answered in a way that most IT or Info Sec practitioners would have answered. According to the survey 50% of the respondents had IT titles while the other 50% were from other ‚Äútitles,‚Äù so this may have impacted the results.
In response to the question, ‚ÄúWhat technologies does your organization use to prevent data breaches?‚Äù the respondents answered as follows:
41% Identity and access management systems
27% VPN or other secure token-based networks
22% Encryption technologies
16% Keyword monitors
15% Intrusion detection systems (IDS)
13% Intrusion prevention systems (IPS)
13% Data leak detection and prevention
11% Content filtering technologies
8% Packet sniffers
7% Digital rights management solutions
Although the report indicated surprise at the identity and access management systems being at the top of the list, it really doesn‚Äôt surprise me that much. Most organizations‚Ä¶primarily business unit leaders‚Ä¶still believe using passwords and network access controls is enough to prevent security incidents and breaches. However, I hope there are actually MORE companies using identity and access management systems than just 41%. Again, I’m not sure if this term was clearly defined within the survey or not, but if it wasn’t it is open to a very wide range of interpretations.
In response to the question, "Has anyone in your organization been fired, demoted or reprimanded as a result of leaking sensitive or confidential information outside the company?" the respondents indicated:
The way this question reads it sounds as though close to half of the respondents indicate that individuals who DID leak information, or cause data breaches, were not reprimanded. And if the 23% that were unsure actually should have been ‚ÄúNo‚Äù answers, this would mean almost 70% of organizations do not apply any disciplinary action at all when they know people have broken policies or did something careless or malicious that resulted in a data breach. This is very troubling, and also points to why depending upon manual methods of prevention and detection alone will not work; if policies are not enforced with disciplinary actions such as demotions, terminations, etc., then personnel will not be motivated to follow the policies or the other processes to protect data. Do you think 70% of organizations really do not hold their personnel accountable and do not apply sanctions when they do things against policies? Scary.
In response to the question, ‚ÄúWhat is the primary reason why enforcement may not be effective?‚Äù the respondents answered:
29% Enforcement is difficult because of the large number of methods to bypass the detection system.
28% Enforcement is difficult because of the large number of false positives generated by detection systems and manual procedures.
16% Enforcement solutions are too costly to implement.
14% Enforcement is difficult because management does not appear to be too concerned about compliance with our policy.
8% Enforcement is difficult because of our inability to detect data leaks in a timely fashion.
Interesting. Recall 34% did not use technology to detect or prevent a breach, so there is no technology-based detection system to bypass for the top two highest percentages. It would have been interesting to know what is meant by it being too costly to implement ‚Äúenforcement solutions.‚Äù I wish they had described what they meant by this.
Management concern can certainly be raised by making them accountable for bad things and applying sanctions to them when breaches happen that could have been prevented.
Detecting data breaches in a timely manner must be done using a combination of methods, starting with documenting where all your personal information is located and keeping your data inventory up-to-date.
There are many more findings and statistics within the report, but this gives you an idea of what types of issues were covered.
How does your organization compare with the survey results?
policies and procedures
awareness and training