How can you protect data if you don't know where it is?
The recent revelations from whistle-blowing website WikiLeaks may have got many businesses thinking about information security but a recent survey from Imperva suggests that many companies are blissfully unaware of exactly what sensitive information they hold and where it is stored.
The survey of over 150 IT security professionals found that only 18% of respondents said that they knew the exact number of sensitive files they had, and just 39% could say for sure where those files were located on their servers. Worryingly from a data loss prevention point of view, 65% said they were unsure who has access to these sensitive files.
Noa Bar-Yosef, Imperva's senior security strategist told CBR this lack of awareness is leaving gaping security holes in many organisations. "Our survey showed that 82% say breaches such as WikiLeaks made them reconsider their company's data security policies," she said. "But if you don't know where the data is held or who has access to it, how can you protect it?"
Keeping on top of what type of documents a company has, as well as where they are and who has access to them, is vital for audit and compliance issues, Bar-Yosef added. However, the recent explosion in the use of smartphones and tablets, not forgetting laptops, mean that corporate data, much of it sensitive in nature, is being carried around outside the firewall. This makes it a nightmare to look after from the protection, compliance and auditing point of view, Bar-Yosef said.
"A separate survey we conducted found that 85% of respondents admitted to carrying corporate data on the home or mobile devices, while 70% said they would take data with them if leaving a job. However 79% claimed their organisation does not have, or they are unaware of, any policy to remove corporate data from a worker's laptop when they leave the firm," she said.
Recent fines handed out by the Information Commissioner's Office (ICO) - the severity and effectiveness of these fines is another debate altogether - have highlighted the need for businesses to take stock of their data protection policies. Two councils - Ealing and Hounslow - were fined a total of £150,000 after laptops containing personal information were stolen.
"The first step to a solid data security plan is taking inventory of your sensitive files and knowing where they are and who has access to them at all times," commented Imperva's CTO Amichai Shulman. "Only with this complete picture will you be able to guard against insider threat by detecting when sensitive data is being added or removed, or when an employee is improperly accessing files."