Uncertainty about where sensitive and confidential data is located causes more worry for security pros than hackers or malicious employees, according to a new survey from the Ponemon Institute.
The report, based on a poll of 1,587 IT security practitioners in 16 countries, focuses on the state of data-centric security, which it describes as a security policy that follows data wherever it is replicated, copied or integrated.
Among the findings:
- Fifty-seven percent of respondents said not knowing the location of sensitive or confidential data is what keeps them up at night; hackers, non-compliance with regulations and malicious employees ranked much lower among their concerns
- Twenty-four percent said they don't know the location of their organization's sensitive or confidential unstructured data, such as data contained in emails or files; for the survey overall, only 7 percent of respondents said they know the location of all their organization's unstructured data
- 40 percent said that in the event of a data breach involving unstructured data, they would not be able to detect it
These findings stand in contrast to those of a recent KLAS report that found identity management and unauthorized data access by employees to be healthcare providers' biggest security and privacy concerns. However, mobile security policies ranked high on both surveys.
Healthcare executives speaking at the iHT2 conference in Boston recently outlined how they've moved beyond trying to simply control access to patient data in favor of better tracking how information flows within the organization.
Larry Ponemon, founder and chairman of the Ponemon Institute, said in a Q&A posted to the website of Informatica, which sponsored the report, that when information is spread out and unstructured, ownership and accountability are difficult to discern.
"People trained in security also view IT as accountable for the security domain," Ponemon said. "But in today's world of cloud and BYOD, it's really a shared responsibility with IT serving as an advisor, but not necessarily having sole accountability and responsibility for many of these information assets."