These results are taken from a Ponemon Institute survey sponsored by Informatica, which concluded that organizations are still struggling to get a grip on their data despite more publicity given to data breaches and the threat of steeper penalties from the UK’s Information Commissioner’s Office (ICO) for insecure data incidents. Most senior IT and IT security practitioners surveyed – 65% of which work in organizations with a headcount of more than 1,000 said that they still wrestle with widespread vulnerabilities, inadequate budgets and difficulties complying with privacy and data protection regulations.
The results are in line with ongoing studies. A Ponemon research paper from January 2012 also found that about half of all organizations feel adequately prepared to protect sensitive data.
Perhaps most worryingly, 71% said that they find it difficult to restrict user access to sensitive information in the IT and business environments. And despite an awareness of the shortcomings, only one quarter, 25% of respondents, say they have adequate budgets to invest in the necessary solutions to reduce the insider threat.
In addition to the risk from internal staff and company processes, the research also highlights significant threats to data that is shared with third parties, including cloud providers. According to Gartner., cloud computing is forecast to grow 19% in 2012, a faster rate than overall IT spending. Yet an alarmingly high proportion of Ponemon survey respondents claim their organizations are not adequately protecting sensitive corporate and customer data in the cloud.
To wit: 51% say their organizations believe it is important to anonymize, mask, suppress or encrypt information when transferring to third parties, including cloud providers. Yet 67% say the security or privacy risk posed by cloud providers accessing confidential data is high or very high, while 60% agree that the inevitability of a data breach in the cloud is such that it is likely to have happened already or will happen in the future. Meanwhile, 69% say their organization is not able to detect the loss or theft of personal information operated by third parties, including cloud providers.
The ramifications of being underprepared for data breach attempts are growing. Under the terms of the UK Data Protection Act, the ICO has taken a tougher approach to handing out penalties for information breaches. The ICO has issued a record 68 warnings this year, up 48% from the 46 it meted out during the previous year. Nonetheless, a full 59% of those surveyed admit they are not confident that they would be able to detect the unintentional loss or theft of sensitive personal information contained in databases or applications in the production environment.
But non-compliance fines and other hard-cost financial ramifications of a data breach are only one dimension of what’s on the line for businesses when it comes to information insecurity.
“Beyond the threat of hefty fines, UK organizations need to deal with the impact of data breaches on hard-won consumer trust,” said Adam Wilson, general manager for ILM at Informatica. “The risks are compounded by the differences in data privacy laws across countries in the EU as well as complexities of protecting data in the cloud.”