Corporate America, if you are not awake yet, you will be after reading this. Notwithstanding ample attention and effort focused on data security, an unbelievable but true 63 percent of U.S. corporations do not think that they can prevent data breaches, according to a recent report provided exclusively first to this columnist.
The just released Detection & Prevention of Data Breaches Report, prepared by the Ponemon Institute and sponsored by PortAuthority Technologies, paints a bleak picture. The results of the report were compiled by from a survey of 850 security practitioners with respect to how such professionals deal with the detection and prevention of data breaches within their U.S. companies.
While there has been heightened focus on data security, at a minimum, the true state of data security still presents many challenges that call out for further analysis and progress.
Even though 59 percent of the surveyed companies believe that they effectively can detect data breaches, as mentioned, 63 percent do not feel that they are in a position to prevent breaches. Apparently, many of these companies are impacted by high false positive rates of up to 35 percent, which impacts their ability to detect breaches. Obviously, further work must be done to eliminate these false positives.
Troubling is the fact that 41 percent of the surveyed companies do not believe that they are effective at enforcing their data security policies. Why? The numero uno reason cited for failed enforcement is lack of resources. This is unacceptable. Data security is not the place to be penny-wise and pound-foolish. It is much better to plan and spend for prevention than it is to grapple with the burden and larger expense of a breach after-the-fact.
The companies report a 68 percent probability of detecting large data breaches (more than 10,000 data files each), while stating that smaller data breaches (less than 100 files each) are likely to be detected only 51 percent of the time. Both of these detection rates are too low. Better technological methods must be employed to ascertain breaches as soon as they happen, so that they can be stopped and damage can be minimized. Of course, prevention on the front-end is even better.
Interestingly, 16 percent of surveyed companies believe that they are invulnerable to data breaches. Either they are naive, or they are doing something very right that others should learn from.
Excessive cost is the main reason relied upon by companies that do not use leak prevention technologies. Indeed, 35 percent say that such technologies are too expensive. Even though effective data security is not the primary mission of most companies, as with appropriate and adequate insurance, a company is not a happy company when it does not have it when it needs it.
U.S. companies - are you awake? Are you ready? Are you at least ready to get ready?
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP where he focuses on litigation matters of various types, including information technology and intellectual property disputes.
His website is http://www.sinrodlaw.com and he can be reached at [email protected]. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line.
This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.