To expect data security to be perfect is not realistic. Inevitably, mistakes will happen and data will be lost. But such a realistic view does not mean glossing over those mistakes. If anything, realism compels us to take ever more vigilant measures to assure our customer, operational, and intellectual property data is safe.
But, if recent research tells us anything, many organizations are not taking a realistic view of the importance of their data to invest in systems and processes to protect it. They must live in a fantasy world where guarding data is not that important.
Take the 2012 Global State of Information Security Survey from Pricewaterhousecoopers. PWC’s 14th survey shows that 72% of those polled are confident in their efforts to protect data. However, the same executives surveyed admit that the metrics used to determine the quality of the data security has steadily declined over the past three years. PWC calls it a “troubling degradation in core security capabilities.” For example, only 41% in the survey have an identity management strategy and, worse, a mere 29% have an accurate inventory about where their data resides, down from 39% in 2009.
This lackadaisical attitude toward data security probably contributed to the frightening results from Verizon’s annual Data Breach Investigations Report. The 2012 report revealed “the second highest data loss total since we started keeping track in 2004.”
The raw numbers are disturbing. The 855 incidents of data breaches in 2011 resulted in the loss of 174 million stolen records. But the truly scary aspect of these breaches is, according to those who reported on the data breaches, 97% could have been prevented through “simple or intermediate controls.” In other words, had organizations taken even rudimentary security precautions the number of incidents and records lost would have been a mere handful.
There are numerous technologies, services, and best practices for keeping your information secure. One of the most underused, in my mind, is applying analytics to system event logs. These data sources can be used as an early warning system that someone has potentially slipped through your security net. There’s little or no chance that a person can scan these logs and detect a pattern indicating a security breach. But analytics can do so and do it in real time to help avert a catastrophic loss of information.
Maintaining data security is difficult with so many criminals targeting organizations of all kinds and sizes. But enterprises should not make it any easier for data thieves by overlooking “simple or intermediate controls” and leaving the welcome mat open to them.