In recent years, criminals have targeted numerous large U.S. retailers for the millions of credit and debit card...
transactions they process on a daily basis. Attackers have also shown increasing interest in other records, like Social Security numbers and patient health information, because they can rake in millions selling such data on black markets around the world.
Despite the clear and present risk related to the theft of sensitive enterprise data, a new report reveals that a majority of enterprises have not implemented the baseline controls widely considered necessary to protect such data; in some cases, organizations aren't even aware that they may have regulatory obligations to do so.
For its 2014 State of Risk Report, released today, security and compliance vendor Trustwave Holdings Inc., based in Chicago, surveyed 476 IT professionals across technology, financial services, business services and other verticals on the security deficiencies that may be present in their respective organizations.
Trustwave found that 81% of responding businesses -- three-quarters of which were businesses with fewer than 1,000 employees -- either store or process financial data, which is subjected to a number of strenuous regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).
Yet Trustwave found that many organizations are seemingly not taking enough precautions to protect such sensitive data. Only 37% of respondents indicated that their respective organizations maintained what it called a "fully mature" method of controlling and tracking sensitive data. Nearly one-fifth of those surveyed admitted to having no controls in place to limit sensitive data exposure.
Just over two-thirds of responding organizations also admitted to transferring sensitive data between enterprise locations. A further 58% of responding organizations said they used third parties to manage their sensitive data, though nearly half had no programs in place to manage those third parties.
Worse still, according to Phil J. Smith, senior vice president of government solutions for Trustwave, is that 40% of enterprise respondents said that they were not fully aware of how regulations like PCI DSS govern the way they protect such information. Even among those organizations that did consider themselves fully aware, there were businesses that did not utilize security awareness training, hold security planning meetings or take other steps vital to upholding those regulations.
When taken as a whole, Smith said the statistics in the report show that a significant portion of organizations aren't doing enough to protect their most valuable data, even when regulations require it.
"If you don't understand what your legal ramifications are for not protecting [sensitive data], then you're probably not protecting it in an appropriate manner," said Smith. "A company may experience an issue where it doesn't know what is going on, and in a lot of cases, if it hasn't done its due diligence to understand what data is at risk and how it is being protected, then it doesn't have any indication that an anomaly is going on or that data might be at risk."
Risk assessment key to preventing sensitive data exposure
Organizations that have yet to implement measures to limit sensitive data exposure, Smith said, should start by commissioning a complete risk-based assessment to determine what assets are most valuable, where they are stored and how they are being protected. That process should include executives, HR, legal and non-IT employees, he noted, which should provide a clearer picture of the data that is important to different segments of each enterprise.
With that information in hand, Smith said that organizations should assess the protections in place for such data and identify gaps in security coverage. Hands-on application assessments, penetration tests and more will be needed to identify vulnerabilities and subsequently put together a remediation plan.
Once the remediation process has been completed, Smith said that both in-house auditors and external parties should be brought in to validate that the plan was implemented appropriately and all gaps were plugged. More penetration tests can also be commissioned for applications and Web apps, he added, to uncover any further weaknesses that might need to be addressed.
Executives must take role in data protection
Smith also emphasized that more executives need to be involved in security processes and doing due diligence to protect sensitive data. Less than half of all board members and senior-level management take a full role in security matters, according to respondents, while nearly one in 10 have no involvement in security at all.
Smith said those numbers are bound to improve after a series of high-profile data breaches, especially in cases like the Target Corp. breach, following which both the company's CEO and CIO were ousted, in part due to the incident.
To involve executives more in security, Smith said he has seen businesses have success by performing incident response readiness tests, which can bring HR, lawyers, management and a CISO into the same room to run through a scenario.
"That is a good way to educate those executives who are developing that agenda for their board meetings," said Smith,"[and] to start that dialogue."
Are you aware of your PCI DSS requirements? Resident compliance expert walks through a PCI compliance checklist for concerned organizations.