Each time consumer information falls into the wrong hands, such as the data breach at TJX and more recently those at Stop & Shop Supermarkets and Fruit of the Loom, the blame game kicks off: How did this happen?
A survey released last week on how businesses manage and control internal access to data begs the question: Why don’t security lapses occur more often?
More than half (52 percent) of respondents said their companies were unable to effectively manage and control data access within the four walls of their own organization. An additional 7 percent were “unsure” if they could. Fifty-one percent of respondents said their strategy was reactive: Identify problems after the fact and then fix them. Only 14 percent claimed to be proactive, fixing vulnerabilities before a problem occurs.
“This new study sheds light on the challenges for companies dealing with the problem of protecting intellectual property and other sensitive corporate data from misuse by ‘insiders,’ or employees with authorized access to data who might abuse that privilege,” said Larry Ponemon, chairman of the Ponemon Institute, which conducted the survey.
Most companies (58 percent) rely heavily upon manual processes to monitor who in the organization has access to what data and a scant 13 percent centralize this task. Instead, responsibility for managing data access is distributed across multiple groups such as a particular business unit, the information technology department, security or an auditing group — with very little collaboration. Sixty-five percent of respondents said collaboration never or rarely occurred and 22 percent said collaboration was “OK, but could be improved” across business units.
The survey of 627 information technology professionals was conducted in January by the institute, a privacy and data protection think tank, and sponsored by SalePoint Technologies of Austin, Tex.
Companies spend an average $182 per customer record compromised to recover from a data breach, according to Ponemon’s annual survey of companies that lost confidential customer