A majority of companies put confidential data at risk every day when equipment such as servers, desktops, laptops and portable storage devices leave the confines of their network, according to a recent survey of 735 IT security practitioners.
The survey, conducted by Ponemon Institute and commissioned by Redemtech, an IT asset management and recovery services vendor, shows that the vast majority of data breaches reported today involve unprotected information on devices that go off the network at one time or another for relocation, repair or disposal. The findings, Ponemon says, should compel IT security managers to ramp up their off-network security policies and practices to the same level of their security practices for devices on the network.
"Organizations have experienced the theft or loss of confidential data when it has been off-network. The practices and procedures of protecting data off-network is, therefore, as much an issue as protecting data when it is on-network," the Ponemon report "The Insecurity of Off-Network Security" reads. "Both on- and off-network security should be important for all organizations."
The survey found that close to three-fourths of corporations experienced the loss or theft of a "data-bearing asset" in the past 24 months. Of those, 42 percent involved the loss of sensitive or confidential data. For 68 percent, those devices were laptop computers; for another 67 percent data breaches occurred on PDAs; and for about 60 percent confidential information was compromised when USB flash drives were lost or stolen. Even larger devices such as servers and desktops were cited by 39 percent and 29 percent, respectively, of survey respondents as the cause of data loss in the past two years. Other off-network devices involved in a data breach included backup media for 29 percent of those polled, zip drives and copying machines for 13 percent each, external storage devices for 11 percent, routes for 9 percent, and printers and fax machines for 4 percent of survey respondents.
Yet despite the many reported losses on off-network equipment, more than 60 percent of survey respondents said that their organizations place more importance on on-network security issues. Sixty-two percent of survey respondents said their organizations have data-risk problems, which Ponemon described as "an abundance of unprotected sensitive or confidential information residing on off-network data-bearing assets." And another 62 percent of survey respondents reported that they "believe that off-network controls are not rigorously managed."
"Our research shows that, while more companies recognize the risk off-network data poses, few seems to have a grasp on how to manage the many challenges off-network data presents to maintaining a strong data security program, and many do not even have a policy to address the situation," said Larry Ponemon, found and chairman of the Ponemon Institute, in a press release. Ponemon and Robert Houghton, president of Redemtech, are scheduled to discuss the study findings at Harvard University's Privacy Symposium Wednesday.
The frequency of loss data from laptops and other devices is in part due to a lack of policies dictating how to treat critical data on devices that could leave the network, the study says. About 60 percent of survey respondents said they lack the resources to implement proper policies and put controls on off-network devices. About 40 percent of survey respondents said between 5 percent and 10 percent of their IT security budget is earmarked for off-network security activities, and 34 percent said they can use between 1 percent and 5 percent on such activities.
"The proof of senior managements' commitment to off-network security activities is budget allocation. 89 percent of respondents report that off-network security activities represent no more than 10 percent of earmarked IT security spending," the report reads. "If off-network security threats represent about half of all data breaches, a 10 percent or less budget allocation suggests inadequate focus, attention or commitment."