The survey was conducted by security specialist Clearswift and was completed by 208 IT decision makers. It reveals that 20 percent of Australian organisations suffered data loss in the last 12 to 18 months.
Peter Croft, managing director for Clearswift Asia Pacific, says although these figures are higher than the worldwide average of 16 percent, but that “on most fronts the Australian results closely mirrored global trends.”
Croft feels there is a definite lack of awareness about the risks and consequences of data loss, which “starts with an undervaluing of data assets."
"Many organisations don’t understand the cost of remediation until they have to do it,” he says.
Four out of five respondents do rate data loss as an imperative issue to their organisations, and yet up to 39 percent of the organisations do not have a data loss prevention (DLP) policy in place.
For organisations wishing to lock down the transfer of sensitive information, Croft says, it's vital to formulate such a policy.
“The first step is to define policy on what data is sensitive, based on the risk it poses to the organisation if lost or stolen,” he says.
“Once a risk schema and policy is defined, this should lead the selection of the right tools for categorisation, identification and protection of data at rest, in use and in motion.”
Croft says it's also important to have the ability to enforce a DLP policy.
“The worst position to be in is to define a clear and workable policy, but be restricted by shortcomings in tools,” he says.
But according to the survey, just 30 percent of Australian organisations are planning to invest in DLP solutions in the next twelve months. Of those who aren't, around a third responded they didn't have the budget, and another third perceived DLP solutions to be too complicated.
Email is perhaps the biggest problem area. Although four in five organisations allow their employees to send confidential data through emails, 39 percent admit to losing data via e-mail, 16 percent don't have email content filtering solutions in place and half don't have encryption filtering.
“E-mail poses a serious risk for data loss, but many organisations see the email security challenge starting and ending with spam and virus control,” Croft says.
“Spam and AV tools are only designed to look at inbound traffic. Proper DLP is best addressed by flexible, high function gateway tools designed for outbound as well as inbound protection.”
The IT decision makers were nearly unanimously against disclosing data breaches to the public.
A mere four percent of respondents thought the general public should be informed in the event of a data breach, although a large majority felt affected customers and partners should be informed.
IT decision makers do see the benefits of disclosure. 94 percent of respondents felt mandatory data breach notification legislation would foster a greater understanding of the importance of good security practice amongst employees.
Many also believe such legislation would increase consumer and stakeholder confidence.
But almost half felt such legislation would increase IT spend by over 10 percent, and three quarters felt disclosure could damage their organisations' reputations.
Croft says this attitude is understandable. “But [it] does overlook a broader need for customers to feel that they can have confidence in the way their data will be treated,” he says.
“I think this is a reasonable expectation. In many cases, banks and other institutional organisations would be well served to publicise what they do to protect customer information.”
Australian organisations lagging behind on DLP
By Dylan Bushell-Embling on Jul 16, 2008 2:55PM