A survey conducted at the RSA conference found that organizations are either not creating proper information security policies or not enforcing existing ones.
organizations talk about protecting sensitive information and data security,
but few of them actually follow through, according to a recent survey. They
haven't updated their information-security policies even in the post-WikiLeaks world.
In a survey of IT executives
released March 8, Ipswitch file Transfer found that while 40 percent ranked
protecting sensitive information as a top IT priority in 2011, nearly 55
percent said their companies don't enforce policies and tools for sharing and
protecting sensitive information. Ipswitch conducted the survey during the RSA
Conference in San Francisco in February.
Approximately 77 percent of
IT executives attached classified information and files, including payroll,
customer data and financial information, to e-mail messages at least once a
month, and nearly 60 percent did so weekly, Ipswitch found in the survey.
There are two security
implications to this, Hugh Garber, product marketing manager at Ipswitch, told
eWEEK. Even if the employee is trying to be productive by working from home, if
is not secure, there is a chance that information can be
compromised, he said.
"It might not be a malicious
act, but the act is inherently risky," he said
However, approximately a
quarter of surveyed employees, or about 26 percent, admitted to sending around
files they shouldn't be sharing and using their personal e-mail addresses to
hide the fact they were doing so, Garber said.
"Companies can't expect to
secure confidential information if they don't have visibility into what's being
shared, by whom, with whom and how," said L. Frank Kenney, vice-president of
global strategy and product management at Ipswitch.
About 65 percent said in the
survey that they had no visibility into files and data leaving their
organization. This is worrisome in light of the fact that 20 percent of the
respondents felt that managing the flow of information internally and
externally was critical. One-fourth said security in the cloud was important,
as well. Companies are talking about security, but not following through.
The problem is pervasive,
said Garber. If management doesn't lead by example, or doesn't provide
employees with a simple and secure way of transferring files, then employees
will find alternatives, he said.
Having, but not enforcing,
policies is just as bad as never having them in the first place, Garber said.
Increased reliance on external
drives in the workplace is partly to blame for the current state of data
insecurity. More than 80 percent of the respondents used USB drives, smartphones
and tablets to move and back up confidential documents, the survey found. More
than half (57 percent) saved confidential files to external devices at least
once a week, an 11 percent increase over 2010, Ipswitch said. These devices can
easily be lost or stolen.
Case in point: A few months
ago a Cambridgeshire
County (England) Council
staff member was saving case notes and meeting
minutes onto an unencrypted USB drive even though the council had issued
encrypted memory sticks for this purpose. The employee had trouble using the
encrypted device, according to the BBC. The unauthorized drive, which contained
private and sensitive information on six adults, was lost.
If top-level executives
don't enforce the policies, employees will rely on other tools, Garber
said. While creating policies is a start, enforcement is just as
essential, he said.
More than 40 percent of
surveyed executives ignored the information-security implications of WikiLeaks
while 16 percent implemented new policies and tools to protect against similar
breaches, the survey found. About 29 percent of companies discussed the
implications with employees, but made no changes to how they share and protect