Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Companies Admit Their Data Is At Risk

Posted by Soulskill on from the at-least-they're-honest dept.

Weblver1 writes "A recent survey of IT professionals published by web security firm Finjan shows that data-theft should be a good reason for concern. Based on answers from 1,387 professionals, 25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach, reflecting on the number of organizations that could potentially be breached without anyone knowing after the fact. Other findings we should be concerned about include 82% of Healthcare IT respondents admitting that medical records are at risk of data-theft, and 68% of all sectors admitting sensitive corporate information can be compromised by cyber-criminals. Finjan's report is available here (PDF, registration required). This survey comes a week after Forrester Research found in their survey that IT security spending is expected to rise (or at least remain the same) — with the current level of data breaches and sensitive data that is not protected well enough, there is a good reason for it.

10 of 60 comments (clear)

  1. surprised? by zappepcs · · Score: 4, Interesting

    I really don't think this will surprise anyone in the IT industry. It's not even really news. Most data remains secure/not-stolen simply by accident.

    That is just how things are. To secure data, it will not be pretty, comfortable, or cheap. In the current economic environment nobody is all set to start spending with an increase in IT budge of 250% and so insecure it will remain.

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:surprised? by Lumpy · · Score: 4, Interesting

      Bingo. When I was doing the SOX audits for my last Fortune 100 corporation I worked for. I highlighted all the problems and found solutions.

      The CTO and all other executives said, The costs are too high to fix it, we'll just report we are out of compliance.. the Fines are cheaper.

      I left that company 3 weeks later.

      --
      Do not look at laser with remaining good eye.
    2. Re:surprised? by plover · · Score: 3, Informative

      Like everything else, it takes external pressures to get companies to spend where they haven't had to before.

      In the case of retail stores, it's the Payment Card Industry's Data Security Standard (PCI DSS) that requires merchants to submit to security audits in order for them to continue accepting credit cards. In the case of pharmacies, it's the threat of HIPPA/Privacy suits that encourages them to protect their data. For publicly traded firms, it's the Sarbanes-Oxley Act (SOX). For banks, it's the Graham-Leach-Bliley Act (GLBA).

      For industries that aren't feeling those pressures, sometimes breaches of security will motivate them. For the rest, nothing will likely happen until something else changes.

      --
      John
  2. Do you trust me? by BadAnalogyGuy · · Score: 4, Insightful

    Do you trust the people you work with? Any individual in any business can access all sorts of material information.

    Maybe it will be leaked to someone outside. Maybe it will be inadvertently passed in an email reply. Maybe someone will break in and steal an unguarded laptop.

    There is no way to protect any data. The medical records everyone cries over is already shared with your doctors. Do you trust their secretaries? Do you trust the software makers and the maintenance/service engineers who come to diagnose software problems?

    There is no privacy, and there is no secret information. There is only information which has not yet been leaked. And your only hope is that any information that is leaked is already moot by the time it becomes public.

  3. Huge Bias in samplling method by nathan.fulton · · Score: 5, Informative

    From the footnotes of the PDF:
    -The anonymous survey was open to all respondents independent of geographical location, job title, company size or industry.
    -The survey was web-based and aimed at respondents interested in or worried about web security threats in general and aimed at their organization. In other news, when we polled members before entering a porn site, 98% said they plan on taking measures to protect their web anonymity within the next hour. The other 2% have a very strange fetish.

  4. And 33% think they are immune? by nmos · · Score: 4, Insightful

    Personally I'd be more worried about the other 33% who seem to think they could not possibly have had their security breached.

  5. Well, duh. by julesh · · Score: 3, Insightful

    25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach

    No, that's not worse. That's _better_. Those 42% are being realistic. Realistically, unless you're one of a tiny percentage of people who either (a) receives so little traffic they can audit it all or (b) can be 100% certain of the security of all the software they're running, you should be in one of those two categories: breached, or don't know whether you've been breached but can't exclude it.

    What's _actually_ worrying is that 33% of respondents think they are in one of these two categories, when in actual fact I'd suspect the figure is less than 1%.

    (FTR: my company is in the 'breached' category. We had a worm infect one of our servers via a BIND bug back in 2000 or so, although the infection was apparently unsuccessful... it seemed to rely on there being a line feed on the end of the last line of /etc/inetd.conf, and our file didn't have one. I can't, obviously, rule out any breaches since then, but am reasonably confident there haven't been any.)

  6. Why "Most" and not "All"? by Anonymous Coward · · Score: 3, Interesting

    Depending how you look at the question, shouldn't those numbers be closer to 100%?

    We're talking about IT people, here, a group whose job it is to believe in risk (whether that be from intruders or just hardware failure) and try to mitigate it. They also tend to think in absolutes, and are likely to interpret the question that way (i.e. view it as "no" risk instead of "low" risk). To believe that your data are absolutely safe and that it would be impossible for something bad to happen would seem to me like a sign of incompetence.

    Moreover, if there were no perceived risk, many of them would have no jobs. So I'm surprised the number is not higher.

    My guess is this survey tells us mostly about how people interpreted the question.

  7. Would they even know? by khasim · · Score: 3, Insightful

    For industries that aren't feeling those pressures, sometimes breaches of security will motivate them.

    From TFA:

    25% of the respondents reported that their data had been breached, with an overwhelming 42% of respondents who could not exclude the possibility of a breach

    I'd be more interested in those who DID believe they could spot a cracker after the fact.

    I'm not talking "what's this daemon running on my server" or "why are all these warez on my server".

    I'm talking someone cracking your server and copying your data last year. Without installing anything that could be traced.

    There are very few people who really know that their systems have not been cracked. And those people would be the ones who would be instantly aware if they were cracked tomorrow.

    I'm fighting with our programmers right now about how they should put confidential information on our website. They want to link from the website in our DMZ to the database server behind our firewall. So anyone who can crack the webserver has a direct line to our database server.

    But all of the other approaches are "too hard" or "too time consuming".

  8. Silly Survey, Medical Data is pretty bad though by jbsooter · · Score: 3, Informative

    I don't think I've ever worked with a system that couldn't be breached if someone wanted to bad enough and IT professionals in charge of them are likely to know exactly how to do it. There's a big difference in a system that could possibly be breached by criminals with intimate knowledge of it and a system that is realistically at significant risk. Asking paranoid IT pros if their systems are vulnerable is likely not a great indicator of the likelihood of them being breached. Of course, asking overconfident ones is probably a worse indicator.

    I will say that some medical records are probably the easiest things in the world to get a hold of. Small private practices generally don't have the knowledge or resource to properly secure their data. A lot of them leave patients in exam rooms alone with a computer, often connected to the internet, for extended periods of time. Not necessarily bad if decent security practices are in place but again, small practices generally don't have the knowledge to have them or just don't feel the need to enforce them.

    I know a guy who did some IT work for several small practices and he still contends that MAC Authentication is about as good as security gets for wireless networks and his clients have all the faith in the world in his judgment. Until those networks get breached and someone leaves enough evidence behind to prove him wrong, its likely those networks will be open to the world.