Data Control to Major Tom: Corporate Data Security Dire and Getting Worse

Companies Know About Data Security Problems, But Fail to Address Them

A newly published study of corporate data security policies has revealed that the majority of corporate technology executives have little knowledge of and control over sensitive data leaving their organization and have ignored the need for enhanced data security controls, even in the wake of large-scale data security breaches making national headlines. [1]

The results of the March 2011 study conducted by Ipswitch, Inc. in Lexington, Mass. were gathered during a survey of IT executives at the 2010 RSA Conference in San Francisco, Calif. and provided surprising statistics regarding corporate data security efforts that included:

Forty percent of companies completely ignored the information security implications of WikiLeaks;

Fifty-five percent of companies with existing data security policies fail to enforce them;

Twenty-six percent of employees used personal e-mail accounts to hide and conceal their transfer of files from management; and

Seventy-five percent of IT executives admitted to sending sensitive company information (such as payroll, customer data, and financial information) through e-mail attachments. Nearly 60 percent do it every week.

As company executives probably already know, failing to oversee the transmission of company information can lead to disastrous consequences if "personally identifiable information," [2] is disclosed. Further, companies can be hampered in their abilities to protect trade secrets and business/proprietary information if they cannot show that they undertook reasonable efforts to protect such information from disclosure.

Further, merely instituting a policy is not enough. The Ipswitch Study suggests that the two primary challenges that companies face in protecting corporate data are not drafting a policy, but rather: 1) acquiring effective visibility into the type of information shared, by whom, when, and how; and 2) establishing controls to prevent transmissions of sensitive information and enforce existing policies.

The Ipswitch Study reinforces the importance for corporations to make data security efforts a top priority.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

April 6, 2011

[1] Ipswitch File Transfer Study, http://www.ipswitchft.com/company/news.aspx?pressid=185

[2] There is no uniform definition of personally identifiable information, and the information that can constitute PII differs depending on various state and federal laws.