Survey: US firms lose laptops with sensitive data
Loss of confidential data — including intellectual property, business documents, customer data and employee records — is a pervasive problem among U.S. companies, according to a survey released yesterday by Ponemon Institute and Vontu, a San Francisco-based provider of data loss prevention products.
Eighty-one percent of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months, according to the survey, which queried nearly 500 information security professionals.
One of the main reasons corporate data security breaches occur is because companies don’t know where their sensitive or confidential business information resides within the network or enterprise systems, Larry Ponemon, chairman of the Ponemon Institute, said in a statement.
“This lack of knowledge, coupled with insufficient controls over data stores, can pose a serious threat for both business and governmental organizations,” Ponemon said. “Moreover, the danger doesn’t stop at the network, but includes employees’ and contractors’ laptop computers and other portable storage devices.”
Ponemon, whose research firm is based in Elk Rapids, Mich., is also a columnist for Computerworld .
Other findings of the study include the following:
Asked “How long would it take to determine what actual sensitive data was on a lost or stolen laptop, desktop, file server or mobile device?” the most frequent answer was “never,” according to the survey.
More than 53 percent of respondents believed that their companies would be unable to determine what sensitive or confidential information resided on a USB memory stick if it was lost or stolen. And approximately 49 percent of respondents said that their companies would be unable to determine what lost data resided on a handheld or comparable mobile device, according to the survey.
“Corporations are clearly struggling with the challenges of identifying and protecting sensitive data, as well as developing successful strategies for securing confidential information stored among the myriad devices that make up today’s data networks,” said Ponemon. “Our findings point to the shockingly high risk to both business and consumers of undiscovered confidential data, but we believe that the data also serve as a compass to help point organizations toward effective solutions to this vexing problem.”
According to Pete Lindstrom, an analyst at Spire Security in Malvern, Pa., organizations can take the following steps to protect sensitive data.
In the future, organizations will have another option for data encryption, said Stephen Northcutt, president of the SANS Institute, a Bethesda, Md.-based cybersecurity training and certification company.
“The newest laptops and desktops are shipping with something called the Trusted Platform Module, and it’s a chip that’s designed for secure storage so it was built to play very nicely with [public-key infrastructure],” Northcutt said. “It’s really a thing of the future. The laptops are shipping now, the software is available now, but the implementations don’t exist right this second.
“We think this will really be the final answer,” he said. “In the meantime, [organizations] are going to have to go with a third-party solution to [encrypt their data].”