Indian Cos Find Data Loss Biggest Security Concern

by CXOtoday Staff    Nov 04, 2009

Symantec has published findings of its study on the mounting risk of data loss in Indian enterprises. The study reveals that 79 percent of organisations highlighted data loss to be their most serious information security concern. This is followed by other threats like virus and denial of service (DoS) attacks and spam.

According to the study, companies have realised the consequences of losing sensitive information like source code, intellectual property, employee and customer accounts. Loss of such information can result in compliance issues, threat to the company’s credibility and be used by competition. Symantec stated in the report that a company’s overall security strategy must be proactive — to protect and know where confidential information resides, how this information is being used and how its loss can be prevented.

Low Awareness
Even though data loss has been considered a serious threat, only 15 percent of the surveyed organisations have adopted any form of data loss prevention measures. The lack of setting a security policy on data loss is because of low awareness (32 percent) amongst enterprises on the impact of data loss. Companies are still quite unaware about how data loss prevention technologies can help safeguard their reputation and revenue.

More than 50 percent of information residing within the organisation (of survey respondents) has been classified as sensitive. As the value of information increases, instances of data loss are also said to be on the rise. More than 16 percent of organisations in India admitted to facing a data loss issue in the recent past. Major causes for these losses were traced to unaware users, insiders and increasing external threats from hackers and cyber criminals.

According to the study, 52 percent respondents said that compliance and regulatory mandates was a major driver to prevent data loss. In addition, pressure from international clients has also been one of the reasons for 24 percent organisations. Business continuity was another important factor that was stated as a consideration for many respondents.

Inadequate Measures
Majority of users considered firewalls, log analysers, intrusion prevention and intrusion detection solutions as adequate and appropriate data loss prevention measures. Amongst users of data loss prevention (DLP) technologies, 84 percent had opted for a ‘patch’- or ’silo’-based implementation. Non-users, which comprised of 45 percent of the respondents, did not feel the need for data loss prevention since they were sure that their existing security solutions were enough to keep information safe. Almost 30 percent of all respondents faced data classification challenges while differentiating between sensitive and non-sensitive information within their organization.

However, large enterprises showed the highest awareness of DLP (as high as 84 percent). Awareness and adoption was very low in medium and small enterprises. High-risk industries like banking, finance and insurance showed maximum implementation of DLP. Over one-third of the Indian organisations implementing DLP belonged to this sector. Other sectors investing in DLP include IT/ITeS (30 percent), telecom (18 percent), manufacturing (12 percent) and others (6 percent).

Preventing data loss is a business problem — not just an IT concern any more. The study also highlighted that DLP is being addressed in approximately 76 percent of organisations.

The study recommends,
Effective data loss prevention (DLP) — organisations must look beyond installing products as that does not ensure success. Organizations should try to achieve a DLP program that addresses risk factors and provides security. Comprehensive, long-term, sustainable DLP is based on:

  • Threat coverage at multiple tiers (endpoint, gateway, network, back-end databases)
  • Business process integration, where DLP must be incorporated into an organisation’s overall business processes so that it is viewed as a business necessity, aligned with strategic goals, and follows compliance requirements and risk management.
  • Organisations should define achievable and measurable goals, regularly review progress and ensure that they are being met.