PricewaterhouseCoopers has published a new report on data security that makes for interesting reading. It appears that despite regular warnings about data security, many businesses continue to play fast and loose with their confidential information. In fact nearly 90% of PWC's ethical hacking tests are successful in gaining access to highly sensitive information.
The report warns that the problem will only get worse because organized criminals are now responsible for the majority of data and identity theft. Many companies are exposed quite simply because they are collaborating globally without adequate safeguards thereby leaving their data exposed. They still seem to think that traditional firewall and perimeter protection is enough to protect their data - and this is despite longstanding warnings of perimeter security's inadequacy from groups like the Jericho Forum.
PWC warns that many companies are also falling into the trap of thinking that their data is secure because they have complied with industry regulations such as SOX, GLBA, HIPAA, or PCI. It says that although compliance provides a safety net, it is still a net with holes. Instead companies should focus on risks and risk exposures to bring their information-protection level to where it needs to be.
The starting point for protecting company data is actually identifying where it is located. And according to PWC's 2008 Global State of Information Security Study nearly three-quarters of the 7,000 IT professionals worldwide it surveyed do not maintain an accurate inventory of where high-value data is stored. It suggests that C-level executives should ask themselves a number of questions when assessing their company's information protection:
- Where is our most sensitive data and who has access to it?
- What regulations and standards apply to our data?
- Have we been a target of data and identity theft?
- Does our collaborative business model put our data at risk?
- Do our employees, customers, and business partners understand their role in protecting sensitive information?
- Do our safeguards provide data with end-to-end protection, even on mobile devices?
PWC then suggests an outline data protection strategy:
- Develop and implement a detailed information-protection plan.
- Identify and classify data according to sensitivity and risk. Know where it resides and flows.
- Understand the threats that are specific to your data and your organization.
- Implement protection capabilities to safeguard your sensitive data end-to-end.
- Test your protection capabilities. Monitor them continually and update them as necessary.
- Plan for a controlled and coordinated response to incidents when they occur.
After a Masters in Computer Science, I decided that I preferred writing about IT rather than programming. My 20-year writing career has taken me to Hong Kong and London where I've edited and written for IT, business and electronics publications. In 2002 I co-founded Futurity Media with Stewart Baines where I continue to write about a range of topics such as unified communications, cloud computing and enterprise applications.