Survey: Security policies neglect off-network devices

Most companies don't have policies in place to protect corporate data on electronic devices that leave the confines of the network, Ponemon Institute study finds.

Current Job Listings

Ponemon Institute study says companies need to put better security policies in place to prevent data loss and privacy breaches when equipment goes off network.

A majority of companies put confidential data at risk every day when equipment such as servers, desktops, laptops and portable storage devices leave the confines of their network, according to a recent survey of 735 IT security practitioners. (See slide show for details.)

The survey, conducted by Ponemon Institute and commissioned by Redemtech, an IT asset management and recovery services vendor, shows that the vast majority of data breaches reported today involve unprotected information on devices that go off the network at one time or another for relocation, repair or disposal. (Check out our Q&A with Larry Ponemon, founder and chairman of Ponemon Institute, for more details.) The findings, Ponemon says, should compel IT security managers to ramp up their off-network security policies and practices to the same level of their security practices for devices on the network.

"Organizations have experienced the theft or loss of confidential data when it has been off-network. The practices and procedures of protecting data off-network is, therefore, as much an issue as protecting data when it is on-network," the Ponemon report "The Insecurity of Off-Network Security" reads. "Both on- and off-network security should be important for all organizations."

The survey found that close to three-fourths of corporations experienced the loss or theft of a "data-bearing asset" in the past 24 months. Of those, 42% involved the loss of sensitive or confidential data. For 68%, those devices were laptop computers; for another 67% data breaches occurred on PDAs; and for about 60% confidential information was compromised when USB flash drives were lost or stolen. Even larger devices such as servers and desktops were cited by 39% and 29%, respectively, of survey respondents as the cause of data loss in the past two years. Other off-network devices involved in a data breach included backup media for 29% of those polled, zip drives and copying machines for 13% each, external storage devices for 11%, routes for 9%, and printers and fax machines for 4% of survey respondents.

Yet despite the many reported losses on off-network equipment, more than 60% of survey respondents said that their organizations place more importance on on-network security issues. Sixty-two percent of survey respondents said their organizations have data-risk problems, which Ponemon described as "an abundance of unprotected sensitive or confidential information residing on off-network data-bearing assets." And another 62% of survey respondents reported that they "believe that off-network controls are not rigorously managed."

"Our research shows that, while more companies recognize the risk off-network data poses, few seems to have a grasp on how to manage the many challenges off-network data presents to maintaining a strong data security program, and many do not even have a policy to address the situation," said Larry Ponemon, found and chairman of the Ponemon Institute, in a press release. Ponemon and Robert Houghton, president of Redemtech, are scheduled to discuss the study findings at Harvard University's Privacy Symposium Wednesday.

The frequency of loss data from laptops and other devices is in part due to a lack of policies dictating how to treat critical data on devices that could leave the network, the study says. About 60% of survey respondents said they lack the resources to implement proper policies and put controls on off-network devices. About 40% of survey respondents said between 5% and 10% of their IT security budget is earmarked for off-network security activities, and 34% said they can use between 1% and 5% on such activities.

"The proof of senior managements' commitment to off-network security activities is budget allocation. 89% of respondents report that off-network security activities represent no more than 10% of earmarked IT security spending," the report reads. "If off-network security threats represent about half of all data breaches, a 10% or less budget allocation suggests inadequate focus, attention or commitment."

Learn more about this topic

Security leaks slide show

Ponemon: Off-network security is a huge problem


Study: Despite data breaches, database security not a top corporate priority


Data breaches seen to threaten IT job security05/02/07Laptop theft hits Chicago Public Schools


Dump old gear without leaking company secrets01/29/07Laptop theft compromises customer data06/02/06
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT