83% don't know where their sensitive data is located

With the transition to the cloud, the ability to track and secure the data at all points of its lifecycle is critical - Will Semple, Alert Logic

83% don't know where their sensitive data is located
83% don't know where their sensitive data is located

After surveying more than 1,500 global IT and IT security professionals, the Ponemon Institute has concluded that just 17 percent of UK firms actually know where their sensitive data is located.

The report also notes that, whilst 79 percent of UK respondents think an automated platform may the answer to this problem, just 40 percent of UK companies actually use this technology.

Even then, the Ponemon research - which was sponsored by Informatica - says that just 23 percent of UK firms delve into their emails and files to seek out sensitive data.

The solution to thee challenges, says the analysis, is more skilled data security staff (49 percent of UK firms) and more effective data security technology (50 percent of UK companies).

On the global front - taking in responses from 16 countries - Ponemon says that only 26 percent of respondents reported they are confident in their ability to always detect a data breach involving structured data - whilst only 12 percent are as confident if the breach involves unstructured data.

So where does this leave us on the data breach issue?

The report concludes that breaches could be avoided if the organisation had more effective data security technologies in place (58 percent of global respondents), more skilled data security personnel (57 percent) and more automated processes and controls (54 percent).

Dr Larry Ponemon, the chairman and founder of the Ponemon Institute, said that the report's findings indicate that sensitive and confidential data continues to proliferate beyond traditional IT perimeters.

“The majority of respondents agree that not knowing the location of data poses a serious security threat. Clearly, the time is ripe for a wider adoption of the technologies and expertise to make data-centric security an enterprise priority," he explained.

Commenting on the report, Sarb Sembhi, an analyst and director with STORM (Strategic Tactical Operational Risk Management) Guidance, said that the key takeout from the report is that there needs to be a mixture of automated and semi-automated - with human oversight - analysis of where sensitive data is stored, before protective systems can be brought into play.

"My observations are that there are very few organisations that can make a strategic decision about their data as whole," he said, adding that - in many cases - for historical reasons, large organisations often have 30 or even 40 suppliers of IT systems that manage their data,

"Some of the smarter organisations are beginning to take their responsibilities regarding the new EU data protection rules a lot more seriously and realising they need a lot more control over their data. I think this issue is going to be a key driver in the near future," he explained.

Hugh Thompson, a lecturer in cyber-security at Columbia University, chair of the RSA Conference and chief security strategist with Blue Coat, told SCMagazineUK.com that the numbers in the Ponemon report are not surprising.

"People are using different tools than they were five years ago, things like Sharepoint. They are achieving greater productivity and efficiency, with these services enabling them to work better than with what their IT department offers," he said.

This means, he added, that both groups of users are standardising on platforms without even telling IT what they are using and there is a wide range of services on offer.

Against this backdrop, Thompson says that companies need to embrace these services as they are the most productive and winning in the market place, but whilst they are more efficient, the company is less aware of what is on them.

"We therefore need to bridge that gap by offering security solutions for their use. These need to allow access to the technology and de-risk it, let the company know what's on it, and provide solutions that are not painful to use – or they will not be used. You may think you can ban them, but you'll most likely find you haven't stopped their usage," he explained.

Will Semple, VP of research and intelligence with Alert Logic, agreed with Thompson's analysis, saying that, what this report highlights is that the way we think about data needs to change.

"From a business perspective, data represents Intellectual Property, customer information, financial information and data on our people. Traditionally, the security conversation was about securing access to the data, who was allowed to read what data," he said, adding that access control is still very important, but the conversation that business leaders need to start having is: `Where is my data?'

"It is no longer confined to the databases and file servers behind the firewall on-premise, where an IT manager can physically go up and touch the server and storage. With the transition to the cloud, the ability to track and secure the data at all points of its lifecycle is critical to establishing a data security programme that incorporates the benefits of private, public and hybrid on perm cloud solutions," he explained.