Companies Don’t Know Location of Sensitive Data, How to Find Breaches

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

The inability to identify critical assets or data and to properly react to security breaches is a major deficit of all companies, from small to large. Attackers targeting non-critical systems could gain access to confidential business information that should otherwise be stored on a segregated network or infrastructure. The disclosure of classified information could have devastating consequences for a company’s financial health.


Two in three companies are uncertain about the location of their sensitive information, while more than half are worried about temporary worker or contractor mistakes with their data security, according to The State of Data Security Intelligence, a study by the Ponemon Institute.

The lack of knowledge regarding data (52%), third party or outsourced management of data (48%), and migration to new mobile platforms or cloud ecosystems (47%) are also among IT managers’ top five concerns, the report says.

Hacking, non-compliance with laws or regulations, employee error, broken business processes and personal identity theft are also main concerns.

Sensitive and confidential information is considered more at risk in the cloud: some 34% of an organization’s secret information in the cloud is considered at risk, while 24% of the information on premise could be targeted. Respondents also say they can’t assess the risk of 54% of the data stored in the cloud and 30% of the data stored on premises.

Not knowing if their organizations’ sensitive or confidential information could be exposed or breached represents a significant security risk, according to 80%. On average, respondents believe 34 percent of the data they collect, store and handle is sensitive or confidential.

“Recent studies have shown that businesses have no incident response or disaster recovery plans in case of security breaches, meaning that threat mitigation and remediation can take a significant amount of time,” Liviu Arsene, senior eThreat analyst said. “Although a technology and layered security mechanisms provide a level of security and reduce the surface of attack, quick incident management and response can make all the difference in terms of business continuity.”

Some 42% of IT managers said they were unable to identify the source of security breaches, while 32% of those who admitted having experienced a breach can’t say how often they were breached, according to a SANS Institute survey.

The increasing integration of IT into once-isolated operations technology systems is one of the top three threat vectors found by security professionals. 42% of respondents say the threat of attack from external actors is their biggest concern, while internal threats came second, followed by integration of IT into control system networks.

“The number of confirmed breaches is rising, but the limited ability of most ICS security systems to detect attacks, let alone reveal their source and type, is at least as big a problem as the number of attacks on operational technology systems,” according to Bengt Gregory-Brown, consultant to the SANS ICS program. “Lack of visibility into ICS systems is a problem, and one that’s growing with greater connectivity and the IT-OT integration.”

IT and ICS converge with greater frequency than integration. Only 29% of respondents have begun implementing a strategy to manage that convergence securely, while 36% are developing a strategy and 18% have no strategy at all and don’t plan to develop one.

“Starting from the premise that it’s only a matter of time until a company’s network perimeter is breached, enterprises should focus on having an internal incident response plan, a classification of business value of data, and an incident response process to handle and report breaches to third parties,” Arsene added. “Alerts triggered by security mechanisms need to reach all key stakeholders to proactively respond to threats.”

A recent survey by big four accountancy firm KPMG revealed that industries such as healthcare and pharmaceuticals risk exposing extremely sensitive data (i.e. patient records, medical history, therapeutic drug schemes) and not being able to find or limit the breach. Some 16% of healthcare organizations said they cannot detect in real-time if their systems are compromised.

Security specialists recommend companies not focus only on adhering to guidelines and certifications, but actively test their network perimeter and train employees in correctly identifying and reporting security incidents. Best practices demand appointing an executive with sole responsibility over cyber security and capabilities for instant monitoring.