As attacks on data rise, corporate teamwork fails

As the TJX Companies data leakage incident seeped its way further toward becoming the Exxon Valdez of corporate information spills this week, researchers reinforced the notion that businesses continue to make a mess of electronic data security because they fail to foster adequate internal communication.

A new report from Ponemon Institute — which has produced a series of studies into corporate data leakage over the last several years — concluded that the various people in charge of collecting, protecting, and managing sensitive information inside large businesses typically don’t collaborate sufficiently. Those constituencies also have widely differing views regarding their respective roles in safeguarding the content, the report contends.

Echoing comments made by a number of security policy experts in recent months, the study highlights the fact that companies are likely failing to protect data based on broken business processes — at least as much as they may be succumbing to complex technological challenges.

Just as many software developers complain that their applications are left vulnerable to attack because business teams refuse to wait long enough for the programs’ underlying code to be made secure, the results of Ponemon’s survey of 3,600 IT security and marketing executives — located in the United States, the United Kingdom, and Germany — illustrate a distinct lack of organizational coordination in the name of protecting data.

For instance, only 30 percent of the marketing workers interviewed for the study said they actually consult security teams before collecting and using sensitive information, while 80 percent of the IT security employees surveyed indicated a belief that they are typically involved in such decision-making.

In addition, while only 53 percent of IT security workers surveyed said their companies have well-coordinated data protection policies, only 32 percent of those workers who handle the information said their employers are doing an adequate job. Some 45 percent of security workers don’t feel that their data-handling rules get in the way of business objectives, while only 21 percent of the people using the content feel that such policies represent roadblocks to their productivity.

And in yet another blow to the perceptions of security workers, only 21 percent of the marketers using sensitive information interviewed by Ponemon said that security teams play a leading role in defending the content.

At the heart of the matter is the issue of poor collaboration between all the involved parties, according to the research firm. Only 29 percent of those interviewed said their companies’ current policies would be adequate to handle a major breach within 24 hours of its occurrence.

Based on the results, Ponemon contends that organizations with substandard data protection collaboration policies were twice as likely as to have had a data breach within the last two years.

Therein lays the ultimate proof of collaboration’s impact on data protection, said executives with Microsoft, which sponsored the research report.

“We expect the data threat environment to continue to evolve, and at the same time, clearly, there’s a long way to go based on where we are today,” said Brendon Lynch, director of privacy strategy at Microsoft. “There’s this major issue around the degree to which marketing professionals consult with these other involved parties; they see the policies as getting in the way of business objectives, and they’re not interacting with security or privacy specialists based on that, which undermines the process change that companies are already attempting to enact.”

As part of its connection with the study, Microsoft is pushing the notion that companies should merge their security and data privacy operations to simplify the process of interaction between the various constituencies.

Some 80 percent of all respondents to the Ponemon study said that they would support further combination of those teams to improve coordination of their data defenses.

“We feel that most companies need to be more holistic and bring these types of roles together,” said Lynch. “All of these workers are critically important to better locking down the data, so they need to look at developing appropriate-use cases, and how to better fulfill business objectives while maintaining protection.”

The study is just the latest expert opinion to highlight the fact that despite the ever-expanding range of security technologies available to enterprises to protect sensitive data, many organizations could be well served to start with a review of their internal policies.

In addition to getting business teams to work more closely with security and privacy pros, some experts contend that organizations could improve security risks quickly by merely retrenching the settings of their network and IT systems.

Many critical infrastructure systems are installed with the idea of getting an operation up and running first, with plans to bolster security after the fact, and never readdressed, said Paul Williams, chief technology officer at IT security services provider Global Security Management.

Reviewing networking gear settings to ensure that they have been sufficiently obscured, along with tweaking the features of other systems crucial to protect external attack is another way that companies can significantly bolster data security with little to no capital investment, he said.

“Before you learn how to defend a network, you have to take a walk on the wild side and see how you can break in yourself,” said Williams. “Most networks can be made more secure by simply taking the time to go back and see how things were installed and whether or not the settings were changed in a way that promotes security; people typically look to technology solutions to address these problems, but they could begin helping themselves significantly at relatively no cost.”

In a presentation delivered at the Gartner IT Symposium earlier this month, analyst Neil MacDonald told attendees of the show that they could save money on their security projects if they continue to push for a more thorough, process-driven approach to data protection on a high level within their organizations.

“This can’t be about managing a set of projects, it has to be about improving process,” MacDonald said. “At the end of the day, the idea of tagging every piece of data in an enterprise for the sake of protecting it is unfeasible; it sounds great on paper, but the problem is a monumental effort with new information coming in all the time, it’s not a process that’s sustainable.”