Thursday, June 11, 2009

Corporate data security: You’re gonna need more than a policy

An alarming number of employees are ignoring data security policies and are routinely engaging in activities that could put their employer at risk, according to a survey released by Ponemon Institute Wednesday.

According to survey results, the most frequent data security offenses were employees copying secure data to USB drives, turning off security settings in mobile devices like laptops and sharing passwords. All offenses that have the potential to put a company’s data at risk.

Of the 967 IT professionals surveyed, around 69% said they copied confidential company data to USB sticks, even though they knew it was against the rules. Still worse, some employees admit that they lost USB sticks housing company data, but failed to report it immediately.

Another disturbing trend is the amount of workers engaging in online activities that raise the risk of infecting company computers with malicious software.

About 31% of respondents engaged in social-networking practices on the Web from work PCs and around 53% said they downloaded personal software on company PCs, increasing the risk of spreading malware in the workplace, according to the research.

“Mobile technologies that let employees do more while on the road are contributing to the issue, said Larry Ponemon, chairman and founder of Ponemon Institute, in a blog entry. As the use of mobile devices grows, the inability to enforce data security policies could increase the possibility of data breaches. "I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity," he said.

Over half (58%) of the IT professionals surveyed put the blame on companies for failing to provide employees with adequate data security awareness and training. About 57% also said their company’s data protection policies were ineffective and 43% said there was poor communication and enforcement of data security policies.

“The Ponemon Institute believes these results show overall lack of urgency by companies on the need to address data security. Unfortunately, our studies have also shown that it often takes a data breach incident before an organization will finally get their wake-up call and take data security seriously.” (Dr. Ponemon’s blog)

Like the survey results showed, it’s going to take more than just a policy to ensure that your company’s data is secure and protected. Read some of these past posts for more information on not only setting up a data security policy, but also training employees on how to keep your company safe:

Employee anti-phishing training, one scam at a time

Six tips for setting up a computer security policy

Employee security training: Spam 101

Employee security training: How to catch ‘phish’

Disgruntled Chrysler employee fired after Internet post

No comments:

Brought to you by