Data loss menace escalates with consumerization of IT

BANGALORE, INDIA: Symantec Corp. has released the findings of its study on Enterprise Security Survey 2010 - Millennial Mobile Workforce & Data Loss.

The study reveals that with the adoption of web-based tools, smart mobile devices and portable storage, “the office” can be anywhere. The resulting mobile workforce, coupled with growing heterogeneity of enterprise IT environments, increases the threat of losing sensitive data.

According to the report, 59 percent of Indian enterprises feel employee-owned endpoints compromise security, and 42 percent have lost confidential or proprietary data in the past. While security is a concern, many enterprises are unprotected and unprepared for the threats to information from Consumerization of IT.

“Access to unlimited information and the presence of collaborative tools in the business environment is enormously empowering. But, it can easily manifest rogue business processes that violate regulations resulting in loss of sensitive data,” Vishal Dhupar, Managing Director, Symantec India.

“Enterprises require a clear understanding about where their sensitive data resides and how it is being used if they wish to reduce their risk of data breaches. There is an urgent need to ensure the highest level of risk reduction to automatically enforce compliance with data security policies and enable enterprises to change employee behavior.”

Study Highlights

Enterprise IT is increasingly becoming consumerized
The official use of consumer technology such as social networking, instant messaging and blogs has become prevalent in Indian enterprises. However, enterprises are not adequately protected. The study reveals that 82 percent of Indian enterprises use Facebook, while 54 percent officially use web-based consumer email and 62 percent use blogs. Additionally, 46 percent of Indian enterprises use microblogging tools, 69 percent use Google Talk and 61 percent use Yahoo Messenger.

The biggest concern was around the use of instant messaging (IM) , with 57 percent of respondents rating IM as a major security threat. Social media is being increasingly used in business for collaboration and communication. Yet, 54 percent of CIOs and CISOs considered social networking sites to be a serious threat to their security. Fifty percent of Indian enterprises revealed that web-based email presented a high security threat as well.

However, 69 percent of respondents indicated that they did not feel sufficiently protected while using blogs, followed by social networking sites (50 percent), microblogs (47 percent), web-based consumer email (44 percent and instant messaging (42 percent). Interestingly, while most enterprises were concerned about the threats of instant messaging tools, the least number of respondents feel protected while using this technology.

Employees are accessing information from more locations and devices
Workforces are rapidly growing in geographically diverse locations and employees often work outside the corporate networks. Given this, Indian enterprises are encouraging employees to access, modify and disseminate information – often stored on the cloud – using their own devices.

While the use of Windows-based laptops are growing in 77 percent of Indian enterprises, the number of smartphones connecting to the network is increasing in 73 percent of the respondent enterprises. This was followed by PDAs (54 percent) and Mac-based laptops (51 percent).

Cloud computing is a major factor enabling employees to access data through their personal devices and from remote locations. However, 23 percent of respondents feel cloud computing increases the risk of losing data, and 27 percent feel it makes it harder to prevent/react to data loss.

As enterprise IT becomes more heterogeneous, data loss threats increase
Consumerization of IT, the use of employee-owned endpoints and the consequent diversity of enterprise IT, poses a security challenge for enterprises. While just 4 percent of respondents were not concerned about the threat of data loss, the Indian enterprises are not adequately equipped to protect their information, leaving them vulnerable to data breaches, especially from inside.

The study reveals that Indian enterprises perceive malicious insiders (61 percent), well-meaning insiders (50 percent) and former employees (50 percent) as threat to sensitive information.

Recommendations
Effective data loss prevention (DLP) establishes repeatable processes and procedures that reduce the risk of data exposure throughout an enterprise. Enterprises should have a sustainable DLP program that allows them to measurably reduce risk of a data breach, demonstrate regulatory compliance and safeguard customer privacy, brand equity and intellectual property.

Comprehensive, long-term, sustainable DLP is based on:

Threat coverage
Information has to be protected wherever it resides, whether at-rest, in-motion or in-use. This requires control points at multiple tiers (i.e., endpoint, gateway, network, back-end databases). Further enhanced compatibility with a cloud environment and Web 2.0 sites provides a more transparent Web experience for end-users that seamlessly prevents data exposure.

Data ownership
DLP should help enterprises identify their most critical information and enable simplified data clean-up and remediation through automated data owner identification. Besides continuous monitoring and auditing of data usage DLP needs to ensure adherence with corporate policies and regulatory compliance.

Business process integration
DLP must be incorporated into an organization’s overall business process so that it is viewed as a business necessity, aligned with strategic goals, compliance requirements and risk management.

Risk reduction measurement
Enterprises should define achievable and measurable goals and then regularly review progress against them and hold business leaders accountable for meeting them.