A survey of IT managers in South Africa has revealed that losing customers and damage to reputation are the two main consequences of data loss.
Symantec's latest survey on data loss prevention (DLP), covering 200 upper-level managers in companies across a wide range of industry sectors, showed that information has become a company's most vulnerable asset. The majority of data breaches were committed by employees going about their daily tasks, sending information out of the organisation without recognising its sensitivity.
The research showed that 94% of IT managers did have a desktop and laptop data loss prevention strategy in place, using a blend of network access control, encryption, agent-based data loss prevention, endpoint management and device control.
"The survey showed, however, that locking down the infrastructure is not enough," said Gordon Love, regional director for Africa at Symantec. "Companies should also be protecting the information itself. DLP requires a policy-driven approach, an issue that cannot be solved by technology alone."
Love says the workforce had become increasingly mobile, with easy access to the corporate network from just about anywhere using a choice of devices. "This freedom makes it more difficult for organisations to prevent the loss or exposure of sensitive data."
According to the survey findings, 37% of employees use corporate notebooks, and 23% use company PDAs and smart phones to conduct day-to-day business.
Most of South Africa's IT managers know the dangers of external storage devices and 41% restrict the use of USB sticks, DVDs or other mobile storage devices, while 32% reported no restrictions. The remaining 27% of respondents had a policy in place.
The survey revealed that ignorance played a large part in data breaches and data loss. More than two thirds of respondents did not recall any data breach or data loss incidents, while more than one third knew of more than one incident. However, 42% of those who did report having experienced a data breach or data loss incident, claimed that there was damage to reputation, and 24% lost customers and admitted financial losses exceeding R100 000.00.
Love advises companies to look to security solutions that were content-aware and enforced centralised policies to prevent the loss of confidential data wherever it is stored or used across endpoint, network and storage systems. "Considering anybody can access and disseminate information in unlimited volume, a DLP strategy requires a combination of business process improvement, technology to automate the processes and the training of all employees accessing and managing information," he says.
"Intellectual property differentiates many IT companies in the same industry, be it simple project plans or complex methodologies that underpin an organisation's implementation strategy."
According to the survey, 89% of companies surveyed had not had any industrial espionage incidents. However, out of those that did, damage to intellectual property (38%), loss of competitiveness (31%), financial losses (12%) and strategic disadvantages (9%) were their major concerns.
Of the IT managers interviewed, 70% had an industrial espionage strategy in place, with 94% using a combination of IT- based measures and physical and organisational security precautions.
South African companies still underestimate the potential damage to their organisations in the event of a data breach or data loss," says Love.
More than 55% of the companies doubted the probability of such an occurrence, 22% felt the risk was too low, 9% of respondents found it hard to justify it to top management, followed by budget constraints (5%) and all of the reasons mentioned (2%). Only 7% were not aware of any incidents to justify such an initiative.
A data loss prevention strategy should be proactive, comprehensive and consistent across all parts of the organisation," says Love. "Companies must be able to define sensitive data once and apply policies to it consistently across all tiers. But companies must do their homework first. Not having a consistent definition of what is considered sensitive and what's not might actually cost them more than having no solution at all."