Security typically tops the list of priorities for IT executives, but a recent survey conducted by the Ponemon Institute reveals that at least one area of IT data security is being overlooked. Off-network security -- or the technologies and policies that ensure data is protected on devices after being removed from the network -- doesn't rank as high as Larry Ponemon, founder and chairman of the Ponemon Institute, says it should.
Ponemon, who this week shared the findings of a survey of some 735 IT security practitioners with attendees at Harvard University's Privacy Symposium, addressed a few questions from Network World Senior Editor Denise Dubie about how companies remain at risk of losing critical, confidential corporate data if they continue to neglect off-network security.
What part of the findings do you think are most significant, and what do they reveal to you?
The number of companies that know or strongly suspect they have unprotected confidential data in their care but that lack the ability to identify and rectify those areas of risk. Our studies have consistently shown, and anecdotal evidence confirms the fact, that confidential data is walking out the door of the vast majority of companies every day. It's a huge problem.
Why has off-network security not yet gotten the attention it needs for IT departments?
Because, for most organizations, it is intimidating to consider the perceived cost and management implications of addressing the vulnerability. Short of a Draconian lock-down, which would be unacceptable to most companies, people are at a loss as to how to go about securing information that is stored in off-network equipment. Instead, there seems to be a head-in-the-sand approach: Pretend there's no problem and hope for the best.
What are the barriers to securing devices and data off-network?
I really think it's a matter of coming to terms with a fundamental change in perspective. Yes, there's a need to invest in good technology, but technology alone can never adequately address off-network vulnerabilities. It also requires development and adherence to sound data management policy, and pervasive awareness within organizations that everyone plays a vital role in keeping information secure. The lack of education and awareness programs that reach from top to bottom within organizations are often the weak link in security.
What steps can IT and security managers take to protect data off-network?
Stringent data management procedures, effective training and awareness programs, adherence to policy, and an investment in security technologies as basic as encryption would represent a quantum leap forward for many companies.