Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Companies Admit Their Data Is At Risk

Posted by Soulskill on from the at-least-they're-honest dept.

Weblver1 writes "A recent survey of IT professionals published by web security firm Finjan shows that data-theft should be a good reason for concern. Based on answers from 1,387 professionals, 25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach, reflecting on the number of organizations that could potentially be breached without anyone knowing after the fact. Other findings we should be concerned about include 82% of Healthcare IT respondents admitting that medical records are at risk of data-theft, and 68% of all sectors admitting sensitive corporate information can be compromised by cyber-criminals. Finjan's report is available here (PDF, registration required). This survey comes a week after Forrester Research found in their survey that IT security spending is expected to rise (or at least remain the same) — with the current level of data breaches and sensitive data that is not protected well enough, there is a good reason for it.

5 of 60 comments (clear)

  1. surprised? by zappepcs · · Score: 4, Interesting

    I really don't think this will surprise anyone in the IT industry. It's not even really news. Most data remains secure/not-stolen simply by accident.

    That is just how things are. To secure data, it will not be pretty, comfortable, or cheap. In the current economic environment nobody is all set to start spending with an increase in IT budge of 250% and so insecure it will remain.

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:surprised? by Lumpy · · Score: 4, Interesting

      Bingo. When I was doing the SOX audits for my last Fortune 100 corporation I worked for. I highlighted all the problems and found solutions.

      The CTO and all other executives said, The costs are too high to fix it, we'll just report we are out of compliance.. the Fines are cheaper.

      I left that company 3 weeks later.

      --
      Do not look at laser with remaining good eye.
    2. Re:surprised? by Ritchie70 · · Score: 2, Interesting

      I don't fully agree with this. Sometimes standards are just for making auditors money and managers and regulators feel good.

      The large retailer I work for is technically not compliant with PCI-DSS standards.

      The reality of our current credit processing solution is that it would have to be done at the acquirer/processor for a system-wide data breach, and to breach a single retail location, the credit card data would have to be captured on the fly across the internal, no-gateway, wired point-of-sale LAN.

      It would have to be done with a new piece of hardware being placed on that network, because none of the equipment that belongs on the network is capable of getting into promiscuous mode and sniffing the network.

      NO credit data (account numbers, expiration date, etc) is stored in a database. Not anywhere. The few pieces of a card number (last 4 digits) we keep are stored in a database local to the store, with no way to globally pull that data out of the store.

      And yet, I've spent the better part of this year making us "more secure," because it brings us into compliance with what the PCI standard and auditors understand as security.

      And don't get me started about SOX.....

      --
      The preferred solution is to not have a problem.
    3. Re:surprised? by The+Great+Pretender · · Score: 2, Interesting

      I'm going out on a limb here because I'm on this 'dark side' of this. First I should note that we're a small company 30+ people dealing in research science. Our data security is important as it pertains to our IP. However, we are currently in a heated discussion with our IT department (2 people) over the security that they have implemented and want to further strengthen. While I stated our data is important their draconian measures have severely limited the work progress. We have a linux based system (kiosk), only executive can have laptops and they are Macs, no thumb drives are allowed, no external laptops are allowed, no remote desktop is allowed, no windows (even thought certain government funding departments require IE) are allowed etc. The bottom line is that have a bunch of scientists who would normally work all hours from many locations and be happy to slave around the clock due are being curtailed to 9-5 work days and the creativity in the company has plummeted. So I suppose my position stands, in our situation, that security over progress, especially when one understands and accepts the risks, is not an option.

      --
      A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort.
  2. Why "Most" and not "All"? by Anonymous Coward · · Score: 3, Interesting

    Depending how you look at the question, shouldn't those numbers be closer to 100%?

    We're talking about IT people, here, a group whose job it is to believe in risk (whether that be from intruders or just hardware failure) and try to mitigate it. They also tend to think in absolutes, and are likely to interpret the question that way (i.e. view it as "no" risk instead of "low" risk). To believe that your data are absolutely safe and that it would be impossible for something bad to happen would seem to me like a sign of incompetence.

    Moreover, if there were no perceived risk, many of them would have no jobs. So I'm surprised the number is not higher.

    My guess is this survey tells us mostly about how people interpreted the question.