Dr. Larry Ponemon Chairman and Founder of Ponemon Institute

One month earlier, a laptop computer containing unencrypted personal data on current and former AT&T employees was reported stolen from a contract employee's car, prompting the telecom firm to notify an unspecified number of people about the potential compromise of their Social Security numbers and other personal data.

Such breaches of confidential information have become routine news for one simple reason: though sparing no expense to guard the security of their networks, corporations often fail to protect data on laptops, PDAs and other devices that are disconnected from the network. And the problem has become enormous. Since 2005, the non-profit organization Privacy Rights Clearinghouse has calculated the total number of records containing personal information involved in security breaches totals nearly 168,000,000. Security breaches continue despite what a breach can cost a company's reputation and bottom line.

What are companies doing to secure confidential data on off-network electronic equipment? With sponsorship from Redemtech, Ponemon Institute conducted the National Survey: The Insecurity of Off-Network Security and queried 735 respondents who are employed in corporate information (IT) departments within U.S.-based business or governmental organizations.

What we learned is that 73 percent of organizations in our study experienced the loss or theft of a data-bearing asset in the past 24 months, yet those same organizations report limited efforts to manage this vulnerability. For example, 62 percent of study respondents cannot confirm or are unsure if their off-network equipment contains unprotected sensitive or confidential information and 30 percent would never detect the loss or theft of confidential data from off-network equipment.

What is the cause of these security breaches? According to the study, the most likely cause is the failure to comply with prescribed procedures (27 percent) followed by negligent insiders such as employees, temporary workers or contractors (24 percent), and a lack of defined policies and procedures (19 percent). The least likely causes were theft committed by malicious insiders (9 percent) and criminals outside the company (7 percent).

What can it cost a company when sensitive data is lost or stolen? According to Ponemon Institute research, the cost can be astronomical, whether it occurs over the network or results from lost or stolen off-network assets. According to Ponemon Institute's 2006 Cost of a Data Breach study, the average cost is $182 per record. This is an increase from $138 in 2005. The cost of a breach is calculated based on four activities in which an organization typically engages when a breach occurs. These activities include: detecting or discovering the breach, reporting the breach, notifying the individuals affected by the breach, and helping the victims of the breach to minimize potential harms.

In addition to the above process-related activities, most companies experience opportunity costs associated with the breach incident, which results from diminished trust or confidence by present and future customers. Accordingly, our Institute's research shows that the negative publicity associated with a data breach incident causes reputation effects that may result in abnormal turnover or churn rates as well as a diminished rate for new customer acquisitions. This should alarm CEOs who have customer or employee information and a brand to protect.

Based on the findings from our study and the potential consequences to an organization, asset management professionals need to take a more proactive approach to securing the equipment in their organizations that contain sensitive and confidential data. We have the following recommendations.

• Make the protection of off-network data a high priority by creating a clear governance infrastructure for off-network security and increasing resources allocated to manage the risk. According to the study, less than 10 percent of the IT security budget is spent on this area of risk. This represents a misalignment of security resources.
• Measure the effectiveness of off-network security protections to better understand compliance with existing procedures and policies and to ensure enforcement. Only 39 percent of organizations in this study attempt to measure effectiveness. Such measures typically include improved IT efficiency, reliability of data destruction processes and total cost of ownership (TCO).
• Policies and procedures for the protection of off-network security need to be enforced. In addition, procedures should address the need to report missing off-network electronic equipment as soon as possible.
• Don't ignore the need to protect other office equipment such as servers, printers, fax machines from loss or theft. According to our study, larger data bearing devices such as servers represented 39 percent of equipment lost or stolen. Many organizations do not clean drives and do not verify that sensitive data has been erased.
• Human error, non-compliance with polices, and negligence seem to be the overwhelming cause for off-network data breaches. Communications and training programs should be used to ensure that employees, temporary workers and contractors understand and apply the company's polices regarding the security of off-network data.
• Technology solutions in any organization should address not only the need to protect equipment and devices when they are on-network but also when off-network. For example, when devices are idle or not in active use, encryption should be used to protect the data together with strict enforcement of policies and procedures.

We encourage you to read National Findings: The Insecurity of Off-Network Security, which is available at www.redemtech.com/ponemon.

Dr. Larry Ponemon consults with leading multinational organizations on global privacy management programs and has extensive knowledge of regulatory frameworks for managing privacy and data security. Dr. Ponemon is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute, serves as chairman of the Government Policy Advisory Committee and co-chair of the Internet Task Force for the Council of American Survey and Research Organizations, and is a column editor for Computerworld, CSO Magazine, BNA and other leading publications.

(re)news home | feature | guest | expert | success | inside