"Even worse, in many companies it's clear that they are doing the bare minimum to try and meet regulatory demands for data protection, or simply to prove that they're doing enough to avoid having to report a breach publicly when it happens," he says.
The perils of self-diagnosis
In survey results to be published on June 25, analysts at Enterprise Strategy Group (ESG) found that one third of the 102 large companies they interviewed admitted a loss of sensitive data in the previous year, with another 11 percent uncertain whether or not their data stores had been violated.
In a nod to the challenge of engaging security processes that go beyond protecting networks from outside attacks, 58 percent of the IT workers surveyed by ESG say they believe that the most significant threat to their sensitive information comes from insiders, through both malicious and careless activity.
"The good news is that we are finding that people are recognizing the problem around identifying, protecting, and classifying confidential data and intellectual property, and are willing to dedicate more money to those efforts, but the bad news is that this is still very much a manual process," says Jon Oltsik, the ESG analyst who authored the report (which was sponsored by data protection technology vendor Reconnex).
"Many companies clearly believe they are doing a good job, but the evidence of breaches and holes in their processes leads you to believe that there are many inaccurate delusions out there," Oltsik says.
"When you dig a little deeper and show them what type of data is stored on people's desktops and on file servers, most companies are surprised at the size of the problem," says the analyst. "The common thread in these companies is a lack of cooperation between different business constituencies. It is not just an IT problem, or a legal problem, or a business problem; and unless people view it as a corporatewide problem, their situation isn't going to improve."
IT consultants who are helping enterprises solve these problems concede that even the best companies are struggling to comprehend the scale of the data security issue.
As the volumes of information being maintained by large companies continue to grow exponentially -- in some case driven by compliance regulations such as the Sarbanes-Oxley Act and HIPAA -- businesses are challenged to stay abreast of the issue and gain true visibility into their operations.
"In general we find that companies have applied a lot of great technologies and feel that they are secure, but there's a general problem of not having enough of a budget to invest in even more tools that can be used to dig down further and gain better visibility into their operations," says Steve Suther, a senior information risk strategist at IT consultancy Getronics.
Before joining Getronics, Suther served as director of information security management at credit card giant American Express. Data security was a "huge problem" for Amex during his decade there, Suther says, as the company tried to protect itself and its customers while dealing with millions of service providers and merchants who processed its information and accessed its records.