Fiddling while Rome burned

Attorney Eric J. Sinrod says corporate America needs a wake up call--in the worst way--about data security.

2 min read
Despite all the attention lavished on data security, most U.S. corporations still do not think that they can prevent data breaches. A just-released report provided first to this columnist, prepared by the Ponemon Institute, and sponsored by PortAuthority Technologies paints a bleak picture. The results of the report were compiled from a survey of 850 security practitioners and centered on how they deal with detection and prevention of data breaches within their U.S. companies.

While there is a heightened focus on data security, the new findings suggest that data security continues to present serious challenges to the business world. Even though a majority of the surveyed companies believe that they can detect data breaches, an even larger percentage--63 percent--acknowledge they can't do anything to prevent the attacks. Many say they are affected by high false-positive rates of up to 35 percent, an operational shortcoming that affects their ability to detect intrusions.

There is the minority...who think they lead a charmed existence and are invulnerable to data breaches. They either are naive or doing something very right.

Just as troubling is the fact that 41 percent of the surveyed companies do not believe that they are effective at enforcing their data security policies. The No. 1 reason cited for failed enforcement: lack of resources. This is unacceptable; data security is not the place to be penny-wise and pound-foolish. Wouldn't it be much better to plan and spend for prevention than to grapple with the burden and larger expense of a breach after the fact?

The report found that companies are likely to detect both large and small data breaches, but the detection rates still are too low. Better technological methods must be employed to ascertain breaches as soon as they happen, so they can be stopped and damage can be minimized.

Then, there is the minority--some 16 percent of the surveyed companies--who think they lead a charmed existence and are invulnerable to data breaches. They either are naive or doing something very right that others should study.

Among companies that choose not to use leak prevention technologies, cost is the big issue. About one-third say that such technologies simply are too expensive. You can see the looming contradiction. Effective data security may not be the primary mission at most companies, but it soars to the top of the corporate agenda when defenses fail.

The question is whether U.S. companies are ready to make the necessary commitment to fix the system. Failing that, are they at least ready to get ready?