Survey: Security policies neglect off-network devices

A majority of companies put confidential data at risk every day when equipment such as servers, desktops, laptops and portable storage devices leave the confines of their network, according to a recent survey of 735 IT security practitioners. (See slide show for details.)

The survey, conducted by Ponemon Institute and commissioned by Redemtech, an IT asset management and recovery services vendor, shows that the vast majority of data breaches reported today involve unprotected information on devices that go off the network at one time or another for relocation, repair or disposal. (Check out our Q&A with Larry Ponemon, founder and chairman of Ponemon Institute, for more details.) The findings, Ponemon says, should compel IT security managers to ramp up their off-network security policies and practices to the same level of their security practices for devices on the network.

"Organizations have experienced the theft or loss of confidential data when it has been off-network. The practices and procedures of protecting data off-network is, therefore, as much an issue as protecting data when it is on-network," the Ponemon report "The Insecurity of Off-Network Security" reads. "Both on- and off-network security should be important for all organizations."

The survey found that close to three-fourths of corporations experienced the loss or theft of a "data-bearing asset" in the past 24 months. Of those, 42% involved the loss of sensitive or confidential data. For 68%, those devices were laptop computers; for another 67% data breaches occurred on PDAs; and for about 60% confidential information was compromised when USB flash drives were lost or stolen. Even larger devices such as servers and desktops were cited by 39% and 29%, respectively, of survey respondents as the cause of data loss in the past two years. Other off-network devices involved in a data breach included backup media for 29% of those polled, zip drives and copying machines for 13% each, external storage devices for 11%, routes for 9%, and printers and fax machines for 4% of survey respondents.

Yet despite the many reported losses on off-network equipment, more than 60% of survey respondents said that their organizations place more importance on on-network security issues. Sixty-two percent of survey respondents said their organizations have data-risk problems, which Ponemon described as "an abundance of unprotected sensitive or confidential information residing on off-network data-bearing assets." And another 62% of survey respondents reported that they "believe that off-network controls are not rigorously managed."

"Our research shows that, while more companies recognize the risk off-network data poses, few seems to have a grasp on how to manage the many challenges off-network data presents to maintaining a strong data security program, and many do not even have a policy to address the situation," said Larry Ponemon, found and chairman of the Ponemon Institute, in a press release. Ponemon and Robert Houghton, president of Redemtech, are scheduled to discuss the study findings at Harvard University's Privacy Symposium Wednesday.