Internal Forces the Cause of Lost Data?

3 05 2010

Last week, I blogged about Accenture’s new report, “How Global Organizations Approach the Challenge of Protecting Personal Data,” and focused on their first finding, “there is a notable difference between organizations’ intentions regarding data privacy and how they actually protect it, creating an uneven trust landscape.” This week, let’s look at the second key finding:

“A majority of organizations have lost sensitive personal information, and among these organizations, the biggest causes are internal and therefore something they could potentially control. This suggests accountability for and ownership of how sensitive data is used may be lacking in many organizations.” The report goes on state that, “larger organizations struggle more to prevent breaches than smaller ones – likely because, with many more employees and more geographically dispersed operations, the opportunities for data to be lost or compromised is greater.”

The report found that 70 percent of organizations with more than 75,000 employees have experienced a loss of sensitive personal information compared to 40 percent of organizations with fewer than 500 people. Internal issues – employees (48 percent) and business or system failure (57 percent) – were cited most often the source of data breaches – a stark contrast to the common perception that external forces are the biggest threats to security and privacy.  Reasons for internal causes of data loss?

  • Lack of adequate policies and training programs
  • Lack of adequate controls – employees have too much access to sensitive data
  • Not having a full understanding of data flows across the organization

From an employee standpoint, there are simple measures that can be taken to ensure sensitive, proprietary or confidential information is not compromised. By giving employees an easy-to-use tool to encrypt and protect data, you are one step ahead of the game.

For larger organizations, the task can be more complicated. A large data center may have various protocols for sending information both internally and externally: FTP, SFTP, home-grown solutions just to name a few. Many large organizations might not even be aware of all the protocols used to transfer data. This causes silos of information and a general lack of secure file transfer. Solutions do exist to securely transfer data and files enterprise-wide, while setting up user authentication, controls and policies.

Do you have internal policies or controls set up to ensure the security of your data?





Protecting Personal Data Globally

27 04 2010

In a recent report published by Accenture, “How Global Organizations Approach the Challenge of Protecting Personal Data,” five key findings emerged from its research:

  1. There is a notable difference between organizations’ intentions of regarding data privacy and how they actually protect it, creating an uneven trust landscape.
  2. A majority of organizations have lost sensitive, personal information, and among these organizations, the biggest causes are internal and therefore something they potentially could control.
  3. Compliance complacency is prevalent throughout the world.
  4. Understanding the perspective on and approach to data privacy and protection of business partners is crucial.
  5. Organizations that exhibit a “culture of caring” with respect to data privacy and protection are far less likely to experience security breaches.

Let’s look at the first point: There is a notable difference between organizations’ intentions of regarding data privacy and how they actually protect it, creating an uneven landscape.

The Accenture report supplements this finding with the following facts:

  • Approximately 70 percent of both business and individual respondents strongly agreed or agreed that organizations have an obligation to take reasonable steps to secure consumers’ personal information, disclose how they use consumers’ personal information and deal with the ramifications if they lose consumers’ personal information.

The report goes on to relay some inconsistencies with this fact. Between 40 and 50 percent of the business respondents in their survey:

  • Where unsure about or actively disagreed with granting  individuals the right to control the type of personal information about them that is collected and how that information is used.
  • Did not believe it was important or very important to limit the collection and sharing of sensitive personal information.
  • Did not believe a range of typical organizational privacy practices were important or very important (including notice, consent, access, redress, security, minimization and accuracy).

The report goes on to explain the reasons for these discrepancies, including industry differences, cultural/regional differences and a lack of clear accountability and responsibility for data privacy and protection within the organization.  A key reason for who is accountable is the complexity of those involved: “They also may find that the management responsibility and accountability can be fragmented, with the Chief Information Officer, Chief Information Security Officer, Chief Privacy Officer or the legal function all having some involvement, depending on the specific aspect of data privacy and protection in question. For instance, the CIO could be responsible for maintaining IT and data security…”

While this obviously well researched report focused on the complexity of data security, how can a CIO maintain IT and data security? Managed File Transfer.