Back in 2006 during a rash of news about execs losing their laptops with confidential data, I wrote an article titled, "Lundquist's Guide to Not Getting Fired for Losing Your Laptop." I was sure that stories such as mine combined with the opportunity for vendors to make some money by adding encryption and additional layers of security access and using hosted (today, called the cloud) data storage would push this serious problem to the margins.
It is now nearly three years later, but has the problem receded? No, and no again. In fact, I think it may be getting worse. Here's my evidence. Recently I attended a briefing from PriceWaterhouseCoopers, where the company presented its findings from its 2008 Global State of Information Security study. PWC has been doing this study for 10 years, this one gathering data from about 7,000 senior C-level execs from 119 countries. This is no quickie Web poll, but a study with a history and some science behind it.
I guess I'd expected to see something like 80 to 90 percent of companies engaged in encrypting laptops, databases, file shares, backup tapes and removable media. I was really wrong. Here are the percentages of survey respondents that have implemented these technologies: laptop encryption: 50 percent; database encryption: 55 percent; file share encryption: 48 percent; backup tape encryption: 47 percent; and removable media encryption: 40 percent.
But wait, it gets worse. If I were going to write that guide today, I'd focus more on handheld devices, which are due for some major data leakage crime stories. How many respondents have implemented security standards for handheld and portable devices? That would be 42 percent. How many have established security standards for cellular/PCS and wireless systems? That would be 40 percent.
Ouch. That doesn't even get me into cloud computing. In cloud computing, you can hear lots of talk about uptime and cost savings, but very little on who is responsible for the data in the cloud and how those cloud companies are guaranteeing and assuming liability for data security. And that doesn't even touch on social networks, hosted e-mail and all the other myriad ways data proliferates and wanders about corporations these days.
At this point, I'd say companies are losing the battle on data security. Your best bet, in my opinion, is to focus on the data that is absolutely vital to your company and make sure that is locked down and available only to authorized users.
For more on the PriceWaterhouseCoopers, study go here.