Customer data ranks third on the list of items business leaders worry about protecting from data breaches, according to a poll of 649 IT executives for a study (PDF) by the Ponemon Institute. Intellectual property and confidential business information took top billing.
The report, a survey of IT executives from businesses and governmental organizations in the United States, Europe, the Middle East and Africa, included further unsettling results. Only 45 percent of IT staffers surveyed felt they were adequately protected against data loss; 40 percent of the respondents said their organizations dont monitor suspicious database activity or are they didnt know whether such monitoring occurs; and 68 percent said they felt their databases were well protected against hackers, but only 43 percent expressed confidence that they were safe from malicious insiders.
"Data can be monetized quickly and the bad guys know it," Larry Ponemon, chairman of the Ponemon Institute, based in Traverse City, Mich., said in a statement. "Organizations that fail to protect their data effectively are proving easy targets [and are] often left to contend with considerable damage to their reputations and financial results."
A similar survey of 1,400 IT executives earlier in 2007 by Datamonitor put the price tag for the average data leak incident at $1.82 million, according to the 23 percent of respondents who were able to track and audit losses after a breach.
Some of the key problems facing respondents are the sheer number of databases being used and the difficulty of knowing where those databases are and what is in them. Thirty percent of respondents said their organizations had between 101 and 500 databases, while 23 percent reported having in excess of 1,000. Another 16 percent could not determine how many databases they had.
"You cant protect what you dont know [you have]," said Toby Weiss, president and CEO of New York-based Application Security, which sponsored the study.
According to Weiss, locating all an organizations databases is just one-fourth of the battle. Corporations need to also need to prioritize which databases need to be addressed first, remediate any vulnerabilities or security issues and monitor databases for suspicious activity, he said.
The good news one can take from such studies, Weiss said, is that organizations both large and small are increasing the security portion of the IT budget.
"I think people are starting to wake up to the cost of an incident and the value of the information they have," Weiss said.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.