With data breach costs soaring, companies should review data sharing policies

By Robert Westervelt, News Editor 29 Nov 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Companies are sharing intellectual property with partners in increasing numbers, but many lack a formal process to determine the kind of data that can be shared and of those that do, less than half conduct review access and usage policies.

People are flying by the seat of their pants here and hoping not to get burned. Jon Oltsik, senior analyst, Enterprise Strategy Group

That was the conclusion of a new survey by Milford, Mass.-based Enterprise Strategy Group. In its report, "Expanding intellectual property protection beyond the firewall," the research firm surveyed security professionals at North American-based organizations with 1,000 to more than 20,000 employees.

Among the key findings: Only 41% of respondents work at organizations that have a formal process to determine which intellectual property can be shared. Sharing relationships are also not reviewed very often. Only 42% said their organization reviews the access and usages policies that apply to their business policies more than once per year.

With the costs of data breach soaring, companies shouldn't ignore how intellectual property data is categorized, secured and shared with partners, said Jon Oltsik, a senior analyst at the Enterprise Strategy Group.

Related information: Data breach costs soar: A Ponemon Institute study indicates the costs associated with data breaches have soared and will continue to skyrocket unless companies do more to prevent them in the first place. Who's Had a Taste of Your Intellectual Property? Here are the key ingredients to protecting your secret sauce. Data breaches, compliance drive intellectual property protection: Recent high profile data breaches and compliance pressures are forcing companies to spend more on technology to protect intellectual property, according to a study. Hacker techniques use Google to unearth sensitive data: Those who know where to look could use Google to dig up all sorts of sensitive company information, including intellectual property and passwords, one security expert warns.

"If you find that you can cut your costs by sharing data with customers and suppliers, you're going to do that and you're going to do it even if there's a perceived risk," Oltsik said. "People are willing to jump out in front of technology to get a business benefit and then backfill management, security and operations."

In addition, 64% of those surveyed said they are confident that their security department is aware of all business partners who have access to intellectual property data, but only 54% are confident that their organizations know the specific data that business partners can access.

Many different groups within an organization classify data as intellectual property, including legal and line-of-business management, IT, executive management, and others. With so many groups involved, each with limited oversight or accountability, IP classification can be lengthy, inefficient, and fraught with overlapping tasks and finger pointing, Oltsik said.

"When you start to talk about how people monitor and enforce their policies, then it gets much more scary," Oltsik said. "People are flying by the seat of their pants here and hoping not to get burned. You have a lot of different technologies and methods and you really don't have an end-to-end view. There isn't a lot of confidence in the actual validity of the data."

While the majority of respondents said their organization reviewed intellectual property data access and usage policies at least once a year, 27% said a review took place once a year if at all. Some were not aware of any policy reviews.

"It becomes one of those situations where you're just sharing everything with everybody and cross your fingers. That's a recipe for disaster," Oltsik said.

Oltsik said companies need to begin with a single classification schema. Different business units need to agree to how data is classified. Then businesses need to put policies around classification. Finally, companies need tools to monitor and audit data classification and sharing procedures and also enforce the policies in place.

The survey was sponsored by data loss prevention appliance vendor, Reconnex.

Tags: Enterprise Data Governance,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  PCI Data Security Standard,  Information Security Policies, Procedures and Guidelines,  Identity Theft and Data Security Breaches,  Data Loss Prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing Data Privacy and Protection How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Kodak CISO on virtualization, compliance Federal efforts to secure cyberinfrastrucure Attackers cash in on fundamental data handling mistakes, Verizon finds RSA panel to discuss surveillance, privacy concerns Mass. officials explain new data protection regulations HIPAA changes force healthcare to improve data flow Data Privacy and Protection Research Identity Theft and Data Security Breaches How to prevent and build protection against online identity theft Heartland breach highlights PCI limitations FBI investigates coordinated ATM scam Encrypt now to meet new Mass. data protection law Recovery plans essential for preventing data loss disasters Internal auditors and CISOs mitigate similar risks Cybersecurity expert sees PCI DSS problems ahead for retailers PCI is about eliminating data, not securing it, former QSA says Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes Identity Theft and Data Security Breaches Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary