Companies that experience a data breach are being more thorough in assessing the damageof a security breach rather than swiftly notifying victims, according to a new survey conductedby the Ponemon Institute.
Forensics helps an organizationto be more surgical and find out whos actually at risk.Larry Ponemon, chairman of Ponemon Institute
The three most useful ways to reducethe negative consequences of a security breach are to hire outside legal counsel, assess thepotential damage to victims and hire computer forensics experts to investigate the breach,according to the survey of nearly 600 IT professionals.
People want to have a studied and thorough approach and not over-report, said PonemonInstitute founder and chairman Larry Ponemon. In short, companies would rather know whether thedata breach actually endangers the security of the victims identity and financial security beforetelling them their information has been leaked. Over-reporting can cause a major loss in trustbetween a company and the victims, Ponemon said.
Forensics helps an organization to be more surgical and find out whos actually at risk,Ponemon said. The results of a careful investigation can help guard against future data breaches,he said.
The Ponemon survey reached 584 IT professionals who indicated they were from organizations thatexperienced a data breach in the last two years. The data breaches prompted senior leadership tomore fully embrace data security and as a result IT security budgets increased for mostorganizations, according to the survey.
Insider threats feared the most
The majority of IT professionals surveyed agree that investigating a breach helps prepare thecompany for future breaches. According to the report, 61% said that their employees are now morecareful to protect sensitive and confidential information.
Insider threats, mostly poor handling of sensitive data by employees, is at the root of manydata breaches, according to the survey. The survey found that 34% of participants who couldidentify the cause of the breach say it was due to a negligent insider rather than a maliciouscyberattack (7%). In addition, 19% of participates indicated that a breach was caused during theoutsourcing of information, while malicious insiders accounted for 16% of breaches.
The most cited technique for prevention is the integration of new employee training andawareness about data breaches.
Endpoint security, data encryption
Aside from training and awareness, there has also been an upswing in organizations controllingendpoints to their systems, hiring outside counsel to provide legal advice and establishingincident response plans.
Controlling endpoints, such as employee smartphones, has become an important part of securingcorporate data. Ozzie Fonseca, senior director of Experian Data Breach Resolution, who sponsoredthe survey, said the relationship between mobile devices and policy is too disconnected.
Companies should provide mobile devices in order to monitor the access they have, he said.People who are connected to work 24 hours a day need to have access. However, Fonesca warns thatemployers must retain control by limiting the data available, encrypting it, and reserving theright to wipe any device that has been lost or stolen.
Fonseca is surprised that 60% of corporate data -- including personal information, logincredentials, medical records, etc. -- is still not being encrypted. Although to him it seems likecommonsense, data security is often sidelined in favor of investments that make money.
Theres complexity in IT on the increase, and until an organization has a security breach theyare looking more at efficiency and productivity, Ponemon said. Often security measures likeencryption and the hiring of additional IT security staff arent observed until after a breach.
Ponemon is optimistic to see a slow but steady increase in the number of companies encryptingtheir data, but agrees that the industry has a long way to go.
A lot of organizations dont have an incident response plan in place, or they have one but itsjust words on paper that theyve never tested, he said. And while one company might learn from abreach, those that never experienced one unfortunately assume it wont happen to them when theyshould be learning from others mistakes.
0 comments:
Post a Comment