Long ago, when businesses kept sensitive information locked away in file cabinets and safes, it was relatively cheap and easy to store valuable data and control who had access to it. Today, enterprises invest millions in security, storage, and compliance technologies - all in the name of increasing visibility into where vital electronic information lives and how it is being defended.
Despite those efforts, most experts and customers admit that in most companies the process of tracking down every piece of valuable company data - and applying the appropriate tools to shield information from unwanted access or misuse - remains in its beginning stages.
The heart of the matter is visibility. Enterprises feel uncertain whether today's technologies are providing an accurate sense of where things stand or are merely creating a false sense of security.
Seeing blind spots
When forensic experts called in by businesses to investigate external data breaches and insider threats tell their stories, the traumatic events that lead to brand-trashing headlines and regulatory punishment are most often based in the business' lack of knowledge of where its sensitive data is.
Enterprises are improving their ability to safeguard the stockpiles of sensitive information they know about, admit investigators, but many remain blind to additional stores of important data or the flawed processes they use to transmit information electronically. Both problems leave them vulnerable to leaks and attacks.
"In almost every case we've investigated where companies have experienced a serious data breach, the reality is that the companies didn't know they had the information where it was stolen from until it's too late and the data has been taken," says Bryan Sartin, vice president of investigative response at Cybertrust, a provider of managed security services that lists risk assessment among its specialties.
"We end up telling companies where they store their sensitive data after doing forensics when they've already had a breach," Sartin says. "In some cases it's clear that companies are only doing the bare minimum in terms of protection before one of these incidents, but the truth is that even with companies that are employing a lot of sound technologies and process they're still missing a lot of the important data repositories."
Making the job of such professionals even more difficult, Sartin says that clever hackers are already using anti-forensics techniques to hide their footprints and make it harder for investigators to trace ongoing data theft schemes.
Other security breach experts agree that businesses seem overwhelmed by the task of hunting down and protecting valued information.
"It's not that good companies aren't making an effort in this area; it just seems that they can't seem to find a way to locate the information and manage it in a way that allows them to do business and guard the data from every conceivable threat," says Kevin Mandia, chief executive of security service provider Mandiant.
"Even worse, in many companies it's clear that they are doing the bare minimum to try and meet regulatory demands for data protection, or simply to prove that they're doing enough to avoid having to report a breach publicly when it happens," he says.
The perils of self-diagnosis
In survey results to be published on 25 June, analysts at Enterprise Strategy Group (ESG) found that one third of the 102 large companies they interviewed admitted a loss of sensitive data in the previous year, with another 11% uncertain whether or not their data stores had been violated.
In a nod to the challenge of engaging security processes that go beyond protecting networks from outside attacks, 58% of the IT workers surveyed by ESG say they believe that the most significant threat to their sensitive information comes from insiders, through both malicious and careless activity.
"The good news is that we are finding that people are recognising the problem around identifying, protecting, and classifying confidential data and intellectual property, and are willing to dedicate more money to those efforts, but the bad news is that this is still very much a manual process," says Jon Oltsik, the ESG analyst who authored the report (which was sponsored by data protection technology vendor Reconnex).
"Many companies clearly believe they are doing a good job, but the evidence of breaches and holes in their processes leads you to believe that there are many inaccurate delusions out there," Oltsik says.