October 11, 2010 - The very nature of data security is one couched in discretion: as a matter of routine, processes are classified, and specialists in this area rarely share their company’s state secrets.

Against the premise that the very nature of data security and its associated risks keep organizations from sharing critical solution steps, insurance and financial services organizations lack the metrics and raw collection capabilities necessary to objectively measure and manage this growing problem.

So say the authors of a new report based on the “2010 Data Security Survey” published by Phoenix-based Securosis. The report is designed as an early step toward providing security managers and practitioners with practical information on the perceived effectiveness of major data security tools and techniques. The results are based on the responses of more than 1,000 security and IT professionals within organizations of all sizes and with a heavy emphasis on financial services and including health insurance as its own category.

“There is a huge gap in the security industry, forcing us to rely more on anecdote and perceptions than hard measurements,” the report noted. The study also notes some disparities between the common perception that security breaches are on the rise and the reality of breach incidence. "Nearly two-thirds of organizations either didn't know if they suffered any data breach incidents, or stated that they didn't experience any," the survey says. "Of those that did, 46 percent saw a decline in breaches, while 27 percent reported the same number of breaches from the previous year."

The survey results indicate that organizations do not invest equally in data security- financial services and government invest most in data security personnel, with healthcare, retail, and manufacturing investing relatively less (note that the authors only performed this analysis for some of the verticals surveyed).

Other Key Findings

  • On average, most data security controls are in at least some stage of deployment in 50 percent of responding organizations. When deployed, controls tend to have been in use for 2 years or more.
  • Most responding organizations still rely heavily on “traditional” security controls such as system hardening, email filtering, access management, and network segregation to protect data.
  • When deployed, 40-to-50 percent of participants rate most data security controls as completely eliminating or significantly reducing security incident occurrence.
  • The same controls rated slightly lower for reducing incident severity (when incidents occur), and still lower for reducing compliance costs.
  • 88 percent of survey participants must meet at least one regulatory or contractual compliance requirement, with many having to comply with multiple regulations.
  • Despite this, “to improve security” is the most cited primary driver for deploying data security controls, followed by direct compliance requirements and audit deficiencies.
  • 46 percent of participants reported about the same number of security incidents in the most recent 12 months compared to the previous 12, with 27% reporting fewer incidents, and only 12% reporting a relative increase.
  • Organizations are most likely to deploy USB/portable media encryption and device control or data loss prevention in the next 12 months.
  • E-mail filtering is the single most commonly used control, and the one cited as the overall least effective.
  • Our overall conclusion is that even accounting for potential response bias, data security has transitioned past early adopters and significantly penetrated the early mainstream of the security industry.

Top Rated Controls (Perceived Effectiveness):

  • Top 5 rated controls for reducing the number of incidents are network data loss prevention, full drive encryption, web application firewalls, server/endpoint hardening, and endpoint data loss prevention.
  • Top 5 rated controls for reducing incident severity are network data loss prevention, full drive encryption, endpoint data loss prevention, email filtering, and USB/portable media encryption and device control. (Web application firewalls nearly tied to make the top 5).
  • Top 5 rated controls for reducing compliance costs are network data loss prevention, endpoint data loss prevention, storage data loss prevention, full drive encryption, and USB and portable media encryption and device control. (Very closely followed by network segregation and access management).

This story originally appeared on Insurance Networking News.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access