The state of data security in North America

RSA announced the results of a survey commissioned by RSA entitled “The State of Data Security in North America.” Conducted by Forrester Consulting, the survey results reveal that many businesses are still in a ‘reactive mode’ when deploying data security measures and often struggle with the challenge of creating and implementing planned strategies for data loss prevention. The report – which surveyed almost 200 organizations – also highlights the rising costs and technology implementation hindrances standing in the way of compliance with internal and regulatory policy mandates.

The survey showed that the flexibility to make information readily available to partners, customers and distributed workers are top priorities for businesses today. Seventy-five percent of the respondents reported that access to data by remote employees is a top concern, followed next by demands for collaboration and data exchange with partners at sixty-nine percent, and consumer access at sixty-three percent.

Organizations are cognizant of the imperative to manage and control their data securely and appropriately – as prescribed in many legislative and industry mandates. In fact, sixty-two percent of respondents consider the enforcement of existing company policies on data to be their most pressing driver in ensuring that data is properly secured before it is shared and distributed. However, controlling the rising costs of ongoing compliance with those policies is becoming a burden, and thirty-three percent of the respondents – the majority response to this question – noted the operational costs of compliance are more significant than they would like them to be.

The research also revealed how many organizations have yet to determine what shape their policies should take – and how to implement them effectively:

— Fifty-five percent of respondents have data security policies that are either outdated or require significant changes to bring them in line with regulatory and company mandates

— Twenty-seven percent indicated that the policy they have is rarely enforced

What is Holding Businesses Back

1. Knowing what data you have – and understanding its sensitivity Determining the scope of how to address company policy requirements starts with data classification – knowing what data is important and everywhere it is located. Data classification is essential to providing proper guidance for a data security strategy and ensuring focus on the most critical areas so that costs can be contained.

— Fifty-two percent of respondents listed data classification as a top priority; however, thirty-seven percent of respondents do not actually have a data classification policy

2. Using Appropriate Data Controls to Prevent Loss or Leakage Once companies have a data classification policy in place, the next step is to implement a control strategy to mitigate the associated risks to their data. Encryption is quickly becoming the de facto control technology for meeting data security requirements:

— Sixty-two percent of respondents intend to increase their encryption deployments and sixty-five percent plan to increase their overall spending on encryption

— Fifty-two percent of respondents intend to increase spending on information leak prevention technology, another important control

— However, sixty-two percent of those surveyed either do not have an encryption policy or strategy at all, or consider their strategy to be incomplete as it only covers data at rest or data in transit, but not both.

Implementing a strategy that addresses all aspects of a data security policy requires an enterprise-wide approach. However, this survey showed that seventy-eight percent of respondents do not always approach the adoption of encryption controls from an enterprise-wide perspective. Instead, they focus more on solving tactical operational problems increasing the operational costs of deploying and managing encryption controls.

3. Simplifying the Management of Data Controls In the survey, the biggest contributor cited to the rising costs and deficient rate of return on investment on encryption was the lack of enterprise-wide key management. The top three operational issues with encryption indicated by respondents were in the area of key management, and over fifty percent of respondents also noted that these operational problems have had a material impact on the business. Most organizations polled, fifty-three percent, still rely on manual processes to deal with key management issues.

“The results of the survey indicate that a comprehensive and cost-effective approach to data security will help organizations construct manageable – and repeatable – data loss prevention processes,” Hoffman continued. “This framework will enable enterprises to fully exploit their information’s value for business advantage.”