Fresh on the heels of a string of highly publicized, corporate data breaches, 63 percent of respondents to a new data security study said they don't believe they can prevent such breaches.
"This group came out much, much more negative than I ever expected," said Larry Ponemon, the founder and chairman of the Ponemon Institute LLC, an Elk Rapids, Mich.-based firm that looks at information and privacy management practices in business and government. "They said they're bad at detecting [breaches], but even worse at preventing [breaches]."
The 11-page study (http://www.portauthoritytech.com/resources/downloads/wp_Ponemon_Institute_Study.pdf), "National Survey on the Detection and Prevention of Data Breaches," which was released Monday, is based on responses from 853 IT professionals, including senior executives, information security managers and others. The study was sponsored by PortAuthority Technologies Inc., a Palo Alto, Calif.-based vendor of information leak prevention software.
The study also found that 41 percent of respondents said their companies are not effective in enforcing data security policies because of a lack of corporate resources.
"A general frustration came out that they don't have the tools or the resources to do the job, and that these responsibilities have been pushed into their laps" but they haven't been given extra help, equipment, software or other tools, said Ponemon, who is a Computerworld.com columnist. "Somehow they're being held responsible for knowing when a breach occurs."
About 66 percent of the respondents said their companies use hardware or software to help detect or prevent data breaches, but the remaining respondents said their companies don't use such tools because of their high costs.
Some 16 percent said their companies believe that their manual security procedures are enough and that their company is not vulnerable to a data breach.
"I think a lot of these companies are completely out of control ... in protecting sensitive or confidential business information," Ponemon said. "There's a lot of room for improvement."
Other highlights of the study include the following:
- 59 percent of those surveyed said they believe they can effectively detect a data breach using available IT tools and procedures.
- Respondents reported a 68 percent probability of detecting a large data breach (of more than 10,000 data files), while they said small data breaches (fewer than 100 files) are likely to be detected only 51 percent of the time.
Jon Oltsik, a security analyst with Enterprise Strategy Group in Milford, Mass., said the Ponemon figures mirror statistics that have been collected by his company.
"The 41 percent who say they don't have the resources [to effectively fight the problem] -- that I completely believe," Oltsik said. "A lot of companies are kind of slow" in dealing with such problems, he added.
Oltsik said his data shows that the biggest risk for data breaches is the use of laptop computers, which can be easily lost or stolen.
Monitoring a company's data use policies is important, he said, but that's difficult to do because of employee training needs, turnover and other issues. "No one does that kind of stuff," he said.