As attacks on data rise, corporate teamwork fails

"We expect the data threat environment to continue to evolve, and at the same time, clearly, there's a long way to go based on where we are today," said Brendon Lynch, director of privacy strategy at Microsoft. "There's this major issue around the degree to which marketing professionals consult with these other involved parties; they see the policies as getting in the way of business objectives, and they're not interacting with security or privacy specialists based on that, which undermines the process change that companies are already attempting to enact."

As part of its connection with the study, Microsoft is pushing the notion that companies should merge their security and data privacy operations to simplify the process of interaction between the various constituencies.

Some 80 percent of all respondents to the Ponemon study said that they would support further combination of those teams to improve coordination of their data defenses.

"We feel that most companies need to be more holistic and bring these types of roles together," said Lynch. "All of these workers are critically important to better locking down the data, so they need to look at developing appropriate-use cases, and how to better fulfill business objectives while maintaining protection."

The study is just the latest expert opinion to highlight the fact that despite the ever-expanding range of security technologies available to enterprises to protect sensitive data, many organizations could be well served to start with a review of their internal policies.

In addition to getting business teams to work more closely with security and privacy pros, some experts contend that organizations could improve security risks quickly by merely retrenching the settings of their network and IT systems.

Many critical infrastructure systems are installed with the idea of getting an operation up and running first, with plans to bolster security after the fact, and never readdressed, said Paul Williams, chief technology officer at IT security services provider Global Security Management.

Reviewing networking gear settings to ensure that they have been sufficiently obscured, along with tweaking the features of other systems crucial to protect external attack is another way that companies can significantly bolster data security with little to no capital investment, he said.

"Before you learn how to defend a network, you have to take a walk on the wild side and see how you can break in yourself," said Williams. "Most networks can be made more secure by simply taking the time to go back and see how things were installed and whether or not the settings were changed in a way that promotes security; people typically look to technology solutions to address these problems, but they could begin helping themselves significantly at relatively no cost."

In a presentation delivered at the Gartner IT Symposium earlier this month, analyst Neil MacDonald told attendees of the show that they could save money on their security projects if they continue to push for a more thorough, process-driven approach to data protection on a high level within their organizations.

"This can't be about managing a set of projects, it has to be about improving process," MacDonald said. "At the end of the day, the idea of tagging every piece of data in an enterprise for the sake of protecting it is unfeasible; it sounds great on paper, but the problem is a monumental effort with new information coming in all the time, it's not a process that's sustainable."