Perspective: Fiddling while Rome burned

By Eric J. Sinrod Published: September 6, 2006 4:00 AM PDT See all Perspectives

Tools

Despite all the attention lavished on data security, most U.S. corporations still do not think that they can prevent data breaches.

A just-released report provided first to this columnist, prepared by the Ponemon Institute, and sponsored by PortAuthority Technologies paints a bleak picture. The results of the report were compiled from a survey of 850 security practitioners and centered on how they deal with detection and prevention of data breaches within their U.S. companies.

While there is a heightened focus on data security, the new findings suggest that data security continues to present serious challenges to the business world. Even though a majority of the surveyed companies believe that they can detect data breaches, an even larger percentage--63 percent--acknowledge they can't do anything to prevent the attacks. Many say they are affected by high false-positive rates of up to 35 percent, an operational shortcoming that affects their ability to detect intrusions.

There is the minority...who think they lead a charmed existence and are invulnerable to data breaches. They either are naive or doing something very right.

Just as troubling is the fact that 41 percent of the surveyed companies do not believe that they are effective at enforcing their data security policies. The No. 1 reason cited for failed enforcement: lack of resources. This is unacceptable; data security is not the place to be penny-wise and pound-foolish. Wouldn't it be much better to plan and spend for prevention than to grapple with the burden and larger expense of a breach after the fact?

The report found that companies are likely to detect both large and small data breaches, but the detection rates still are too low. Better technological methods must be employed to ascertain breaches as soon as they happen, so they can be stopped and damage can be minimized.

Then, there is the minority--some 16 percent of the surveyed companies--who think they lead a charmed existence and are invulnerable to data breaches. They either are naive or doing something very right that others should study.

Among companies that choose not to use leak prevention technologies, cost is the big issue. About one-third say that such technologies simply are too expensive. You can see the looming contradiction. Effective data security may not be the primary mission at most companies, but it soars to the top of the corporate agenda when defenses fail.

The question is whether U.S. companies are ready to make the necessary commitment to fix the system. Failing that, are they at least ready to get ready?

Biography
Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

More Perspectives

See more CNET content tagged:
data security, U.S. company, security

Add a Comment (Log in or register) 4 comments (Page 1 of 1)

where's the report?
by truth_teller September 6, 2006 8:45 AM PDT: citing a report that your readers can't access is poor journalism.....either get permission for others to see it, or don't cite it.

--Journalism 101; Reply to this comment

you HAVE enough resources to at least get started
by nanarita September 6, 2006 12:20 PM PDT: Companies need to start looking beyond the usual enterprise solutions, to find security applications that fit their needs AND their budgets. According to the 2006 CSI/FBI Computer Crime and Security Survey, unuathorized access is the second-greates source of financial loss, and 32% of loss comes from insider threats. Email is tops the list in theft and misuse of IP, something even (especially) the little guy is hit with. You can use a simple solution like Taceo that integrates with Outlook to protect email and documents from unintended access.

Average loss of email theft - $1,849,810
Theft of IP - $$6,034,000
Unauthorized access to info -$10,617,000
Cost of Taceo to protect email integrity - $59

Read how one small company used Taceo successfully:
http://www.essentialsecurity.com/casestudies/jacobsen.htm; Reply to this comment View reply
Processing

The real reason corporate security policies aren't enforced
by aabcdefghij987654321 September 11, 2006 9:33 AM PDT: Quite simply the policies are put in place by people who have no connection to the real world where work is actually accomplished. Most corporate security policies have little or no flexability and treat everthing exactly like an end-user so if they were completely enforced the company would cease to function!

Requiring users to change their passwords too frequently or requiring excessive complexity means that more and more users actually write their password down so they can remember it. Longer passwords are more secure but when multiple legacy systems are combined and all require their own logins users flock to a common password for all systems (remembering one new password each xx days instead of four different passwords is simpler) and then the password is limited by the system with the least flexability.

For example using the same login id between Windows networking and an IBM mainframe means that the Windows network password is limited to eight characters just like the mainframe password (or you end up remembering multiple passwords and users just don't go for that) despite the fact that Windows allows truly long passwords. Add a minimum password size of eight characters (a common value) and you end up with every user having an eight character password which ironically reduces the possible passwords and makes guessing passwords simpler.; Reply to this comment