Data Security Policies Go Begging at Many Organizations: RSA Survey

A survey conducted at the RSA conference found that organizations are either not creating proper information security policies or not enforcing existing ones.

Security-conscious organizations talk about protecting sensitive information and data security, but few of them actually follow through, according to a recent survey. They haven't updated their information-security policies even in the post-WikiLeaks world.

In a survey of IT executives released March 8, Ipswitch file Transfer found that while 40 percent ranked protecting sensitive information as a top IT priority in 2011, nearly 55 percent said their companies don't enforce policies and tools for sharing and protecting sensitive information. Ipswitch conducted the survey during the RSA Conference in San Francisco in February.

Approximately 77 percent of IT executives attached classified information and files, including payroll, customer data and financial information, to e-mail messages at least once a month, and nearly 60 percent did so weekly, Ipswitch found in the survey.

There are two security implications to this, Hugh Garber, product marketing manager at Ipswitch, told eWEEK. Even if the employee is trying to be productive by working from home, if the transfer mechanism is not secure, there is a chance that information can be compromised, he said.

"It might not be a malicious act, but the act is inherently risky," he said

However, approximately a quarter of surveyed employees, or about 26 percent, admitted to sending around files they shouldn't be sharing and using their personal e-mail addresses to hide the fact they were doing so, Garber said.

"Companies can't expect to secure confidential information if they don't have visibility into what's being shared, by whom, with whom and how," said L. Frank Kenney, vice-president of global strategy and product management at Ipswitch.

About 65 percent said in the survey that they had no visibility into files and data leaving their organization. This is worrisome in light of the fact that 20 percent of the respondents felt that managing the flow of information internally and externally was critical. One-fourth said security in the cloud was important, as well. Companies are talking about security, but not following through.

The problem is pervasive, said Garber. If management doesn't lead by example, or doesn't provide employees with a simple and secure way of transferring files, then employees will find alternatives, he said.

Having, but not enforcing, policies is just as bad as never having them in the first place, Garber said.

Increased reliance on external drives in the workplace is partly to blame for the current state of data insecurity. More than 80 percent of the respondents used USB drives, smartphones and tablets to move and back up confidential documents, the survey found. More than half (57 percent) saved confidential files to external devices at least once a week, an 11 percent increase over 2010, Ipswitch said. These devices can easily be lost or stolen.

Case in point: A few months ago a Cambridgeshire County (England) Council staff member was saving case notes and meeting minutes onto an unencrypted USB drive even though the council had issued encrypted memory sticks for this purpose. The employee had trouble using the encrypted device, according to the BBC. The unauthorized drive, which contained private and sensitive information on six adults, was lost.

If top-level executives don't enforce the policies, employees will rely on other tools, Garber said. While creating policies is a start, enforcement is just as essential, he said.

More than 40 percent of surveyed executives ignored the information-security implications of WikiLeaks while 16 percent implemented new policies and tools to protect against similar breaches, the survey found. About 29 percent of companies discussed the implications with employees, but made no changes to how they share and protect information.