Most Companies Admit Their Data Is At Risk

Weblver1 writes "A recent survey of IT professionals published by web security firm Finjan shows that data-theft should be a good reason for concern. Based on answers from 1,387 professionals, 25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach, reflecting on the number of organizations that could potentially be breached without anyone knowing after the fact. Other findings we should be concerned about include 82% of Healthcare IT respondents admitting that medical records are at risk of data-theft, and 68% of all sectors admitting sensitive corporate information can be compromised by cyber-criminals. Finjan's report is available here (PDF, registration required). This survey comes a week after Forrester Research found in their survey that IT security spending is expected to rise (or at least remain the same) — with the current level of data breaches and sensitive data that is not protected well enough, there is a good reason for it.

Huge Bias in samplling method

[nathan.fulton]

From the footnotes of the PDF:
-The anonymous survey was open to all respondents independent of geographical location, job title, company size or industry.
-The survey was web-based and aimed at respondents interested in or worried about web security threats in general and aimed at their organization. In other news, when we polled members before entering a porn site, 98% said they plan on taking measures to protect their web anonymity within the next hour. The other 2% have a very strange fetish.

Re:surprised?

[plover]

Like everything else, it takes external pressures to get companies to spend where they haven't had to before.

In the case of retail stores, it's the Payment Card Industry's Data Security Standard (PCI DSS) that requires merchants to submit to security audits in order for them to continue accepting credit cards. In the case of pharmacies, it's the threat of HIPPA/Privacy suits that encourages them to protect their data. For publicly traded firms, it's the Sarbanes-Oxley Act (SOX). For banks, it's the Graham-Leach-Bliley Act (GLBA).

For industries that aren't feeling those pressures, sometimes breaches of security will motivate them. For the rest, nothing will likely happen until something else changes.

Silly Survey, Medical Data is pretty bad though

[jbsooter]

I don't think I've ever worked with a system that couldn't be breached if someone wanted to bad enough and IT professionals in charge of them are likely to know exactly how to do it. There's a big difference in a system that could possibly be breached by criminals with intimate knowledge of it and a system that is realistically at significant risk. Asking paranoid IT pros if their systems are vulnerable is likely not a great indicator of the likelihood of them being breached. Of course, asking overconfident ones is probably a worse indicator.

I will say that some medical records are probably the easiest things in the world to get a hold of. Small private practices generally don't have the knowledge or resource to properly secure their data. A lot of them leave patients in exam rooms alone with a computer, often connected to the internet, for extended periods of time. Not necessarily bad if decent security practices are in place but again, small practices generally don't have the knowledge to have them or just don't feel the need to enforce them.

I know a guy who did some IT work for several small practices and he still contends that MAC Authentication is about as good as security gets for wireless networks and his clients have all the faith in the world in his judgment. Until those networks get breached and someone leaves enough evidence behind to prove him wrong, its likely those networks will be open to the world.