Report finds enterprises failing to protect sensitive data

Confidential data remains unprotected in many large enterprises, according to a recent survey released by Enterprise Strategy Group (ESG) on behalf of database security firm Application Security.

In the second annual survey of 175 IT and information security professionals from North American enterprises with 1,000 or more employees, 40 percent said most of their data is adequately secured and 11 percent said some confidential data is secured. Two percent of respondents said most confidential data is not secured and another two percent said they did not know.

The remaining 40 percent of respondents said they believe that all of their organization's confidential data is adequately protected.

In addition, fewer than half of respondents believed that their existing database security controls provide adequate protection for all databases that contain confidential data, according to the survey, released Tuesday. Many organizations have trouble securing databases due to budget constraints and a lack of resources, Thom VanHorn, vice president of global marketing at Application Security, told SCMagazineUS.com on Tuesday.

“We are still kind of in a crisis state when it comes to database security,” VanHorn said.

Recently, a database of the Springfield, Massachusetts-based insurance provider Mass Mutual was accessed by an individual without authorization, potentially exposing the personal information of an unknown number of employees.

The ESG survey also found that just 37 percent of respondents believe they can meet regulatory compliance requirements and ensure the security of confidential or sensitive information at all times. In addition, nearly 30 percent of organizations surveyed said they have failed a data security compliance audit in this past three years.

There are some bright spots to the report: Twenty-two percent of respondents said their organization has suffered at least one confidential data breach in the past 12 months, compared to 56 percent of respondents who said the same last year.

However, while the number of organizations that were breached went down, the amount of records that were lost rose, Jon Oltsik, senior security analyst with ESG, said in the report.

According to the Open Security Foundation, which tracks publicly disclosed breaches, in 2008 there were 716 data breach incidents affecting approximately 86 million records. From January to November 2009, there were 404 data breach incidents affecting approximately 217 million records.