And it doesn’t seem to subside and probably won’t, unless companies begin to take a serious, hard look at their off-network asset procedures and implement strategies to thwart breaches from occurring.

Research after research, study after study, continues to validate the importance of securing off-network security. One of the most recent studies by the Ponemon Institute, commissioned by Redemtech, found that in some cases, the situation is getting worse, not better.

Ponemon Institute Report Find out why 68% of senior IT security professionals lack confidence that their organization’s procedures and controls will prevent the loss of confidential information from data-bearing equipment taken off-network. National Findings: The Insecurity Off-Network Security Download ›

You can read the entire report: National Findings: The Insecurity Off-Network Security, which queried 735 corporate information technology (IT) professionals within U.S.-based business or governmental organizations about this important issue. We encourage you to download the study at www.redemtech.com/ponemon.

According to the study, 73 percent of companies have reported the loss or theft of data-bearing assets within the past two years. These security breaches account for three-quarters of all data lost and continue to occur because, according to the study, most companies have under-developed asset management and inventory controls, do not have measures in place to effectively manage them, and spend only five percent of their IT security resources protecting against "off-network" risk.

Off-network assets are particularly vulnerable when equipment is placed in storage, transitioned throughout the organization, sent for repair, resold or recycled. When decommissioned assets are stored on-site, much of the idle, data- and software-bearing assets are kept in unsecured storage, draining value and increasing the risk of loss or theft.

In fact, a study of 550 security breaches by the University of Washington found that 66 percent were the result of mismanagement of data-bearing assets, compared to just 31 percent resulting in malicious hackers.

For assets in transit, inadequate chain-of-custody controls can create security gaps. According to the Ponemon Institute, almost 30 percent of security breaches originate with external partners, consultants, outsourcers or contractors.

In addition, companies all too often have inadequate data destruction processes. Common practices, such as on-site hard drive erasure, degaussing or physical drive destruction, are unreliable, destroy the value of the asset, and increase e-waste.

The University of Glamorgan analyzed more than 300 second-hand disks and found that 50 percent contained information that could identify an organization or individuals. For a significant portion of the disks that were examined, the information had not been effectively removed and, as a result, various entities were exposed to a range of potential data security dangers. Even when drives are physically destroyed by hammering or drilling, data may still be accessible.

What’s also surprising is the number of repeat offenders. According to the IT Compliance Group, 68 percent of businesses are losing sensitive data or having it stolen out from under them at least six times a year. An additional 20 percent are losing sensitive data 22 or more times a year.

Other causes include lack of policy, communication, monitoring and enforcement. There also seems to be lack of control over mobile devices, inconsistent processes, insufficient budgets, poor asset management procedures, or no centralized repository. Read more about the causes in this issue’s guest column by Dr. Larry Ponemon.

Consider a well-known organization like Monster.com, which as a result of a security breach, confidential information of some 1.3 million job seekers was stolen and used in a phishing scam. Not only was information stolen, Monster waited five days before telling its users of the breach.

The Ponemon Institute says 11 percent of Americans have received a notice from a firm revealing their personal information has been lost during the past year. A total of 20 percent of those surveyed said they had "discontinued" their relationship with the company involved. An InfoSurv survey found that 87 percent of U.S. consumers said they lost respect for businesses in instances where companies lost customers’ personal information, while 96 percent of respondents said that protecting customers from data breaches should be a company's highest priority.

From a regulatory perspective, businesses must be aware of the laws pertaining to lost or stolen information, especially if it exposes a person’s identity. These include the Computer Fraud and Abuse Act, the Data Accountability and Trust Act, the Digital Millennium Copyright Act, the Fair and Accurate Credit Transaction Act, the Fair Credit Reporting Act, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, the Identity Theft Protection Act of 2007, the Notification of Risk to Personal Data Security Standard, the U.S. Patriot Act, and the Payment Card Industry Data Security Standard. For a complete list of data privacy, security breach and identity theft laws visit our Regulations section.

Besides the regulation and publicity headaches, the cost associated with these breaches can also be significant for an organization. Forrester Research estimated breaches have cost companies between $90 and $305 per lost record, including notifying customers, hiring contractors to fix computer systems, fines, and lost business, while Ponemon Institute found the average cost of a privacy-related data breach was $4.8 million, with costs ranging from $226,000 to $22 million.

Lost productivity costs: averaged $30 per lost record, an increase of 100 percent over 2005 results, for lost employee or contractor time and productivity diverted from other tasks, according to Ponemon. The Computing Technology Industry Association (CompTIA) recently reported that when costs were broken down within organizations suffering security breaches: employee productivity was impacted by 35 percent; revenue-generating activities were impacted by 20 percent; physical assets were affected by 17 percent; and legal fees and fines were impacted by 8 percent. Gartner analysts estimate that the cost of a sensitive data breach will increase 20 percent per year through 2009.

And let’s not forget the customer’s loss. A study released by Utica College's Center for Identify Management and Information Protection (CIMIP) found that the median actual dollar loss for identity theft victims was $31,356.

Preventing Off-Network Data Breaches Robert Houghton President and Founder of Redemtech Learn what your organization must do to prevent high-profile data breaches and protect data-bearing assets as they move through, and outside, your organization. Best Practices for Securing the Final Mile Register ›

It’s also critical to conduct an assessment of current off-network security policies and procedures to identify gaps in policy and practice. This includes asset management, physical security and inventory control, chain-of-custody during moves, and defining minimum acceptable off-network practices while also identifying remediation steps required to reach that baseline.

Just as important is formally communicating your off-network security policies to the organization. This can happen by training employees and holding them accountable to the policies set in place.

In addition, assessing asset management systems and practices is key, considering that inventory control is instrumental to off-network security. This is when you need ask yourself: Does procurement data begin in the lifecycle of each asset? Does retirement data conclusively end the lifecycle of each asset as it relates to disposition information, software destruction, data destruction, and financial proceeds and costs? You must also know how accuracy is maintained, either through auto discovery or manual cycle counts.

Another best practice is to establish metrics for measuring the reliability of key components of the off-network asset cycle, and enforce the discipline required to use the metrics for continuous improvement of off-network management practices. This can be achieved by conducting regular audits and inventory variances.

Consider outsourcing to a vendor with experience in off-network operations, which may provide more mature capabilities more quickly than using internal resources. This includes detailed vetting of vendor capabilities and automation of information exchange.

Know what is not encrypted. Control and limit inventory at rest through physical security measures by giving limited access, video monitoring and data locking. In addition, for security and ROI purposes, limit storage time by as much as possible.

Data destruction is also crucial. Whether it is on-site or off-site, ensure physical destruction, verification and logging take place on all IT assets.

Quality control procedures need to be put in place, such as documentation and audit trails, where assets can be tracked by asset level, serial number and tag. This can also be achieved through storage devices with firmware serial numbers, a manufacturer number and/or an OEM serial number.

Physical security procedures also need to be addressed, in order to ensure limited, secure access. This can be achieved by installing security cameras. It’s also important to ensure that logistical procedures are in place that addresses rapid recovery; serial number accountability from pickup to final disposition; using tamper-resistant and evident containers; and working with a closed, limited network of logistics providers.

All of these best practices are discussed in detail in the Redemtech white paper Preventing Off-Network Data Breaches: Best Practices for Securing the Final Mile. Register now to receive a copy of the full white paper when released in mid-November.

Contact Us for more information on how you can implement TCM – and close off-network security gaps across your enterprise.

(re)news home | feature | guest | expert | success | inside