Sensitive data is insecure abroad, McAfee report finds

By Neil Roiter, Senior Technology Editor, Information Security magazine 29 Jan 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Sensitive corporate data moving across national borders is increasingly exposed to industrial espionage and organized crime, according to a survey of senior IT personnel around the world.

As companies extend their trust to corporate partners, service providers, suppliers and offices abroad, they are allowing millions of dollars of sensitive customer information and intellectual property to move with the business.

And they are losing it.

In the Unsecured Economies Report commissioned by McAfee Inc., 800 senior IT directors said their companies say they keep an average of $12 million worth of sensitive information abroad. Those companies also reported a loss of an average $4.6 million worth of intellectual property in 2008.

"Based on the survey findings, McAfee conservatively estimates that the global damage from data loss to top one trillion dollars," McAfee CEO Dave DeWalt said when announcing the survey findings today.

It's a startling high cost of doing business in a global economy. But companies are forging ahead. The survey found driven, in order, by cost reduction, supply chain partner efficiency, expertise and, ironically, in many cases, safety.

The respondents said they were generally more concerned about the impact on their companies reputation if sensitive information was leaked or stolen than the financial impact.

Securing IP: Data breaches, compliance drive intellectual property protection: Recent high profile data breaches and compliance pressures are forcing companies to spend more on technology to protect intellectual property, according to a study. With data breach costs soaring, companies should review data sharing policies: Companies are sharing intellectual property in increasing numbers, but many organizations fail to monitor and enforce their policies, according to a survey. Hacker techniques use Google to unearth sensitive data: Those who know where to look could use Google to dig up all sorts of sensitive company information, including intellectual property and passwords, one security expert warns.

"Our corporation is everywhere," said Mike Siegel, director of product management for McAfee's data protection unit. "It's fluid. It's with our partners; it's with our supply chain; it's with our outsourcers; it's with our knowledge workers, who are in the back of a taxicab. It's everywhere."

Professors Karthik Kannan, Jackie Rees and Eugene H. Spafford from Purdue University and the Center for Education and Research in Information Assurance and Security (CERIAS), undertook extensive research with experts from around the globe. Those surveyed were 100 IT directors each from U.S., U.K., Japan, China, India, Brazil and the Middle East.

Surprisingly, developing countries -- India, China and Brazil -- spend a substantially higher percentage of their IT budgets on security. The percentage was strikingly low in the United Kingdom, 4% (compared to 35% in India).

The motivation behind these differences is revealing. Companies in developing countries -- 74% in China and 68% in India -- said that better security gives them a competitive advantage in attracting customers and clients. But security spending by companies in Japan, Germany, U.K. and the United States are generally driven by compliance.

On the other hand, a significant minority of companies in Germany, Japan, India and the Middle East said they don't investigate security incidents, either because of the cost or bad publicity.

The global recession is making things worse.
In particular, companies around the world are concerned about insiders turning on them to steal data for pay. Laid-off employees, motivated by a combination of money and anger, were first on the list, cited by 42% of the respondents as their prime concern in a recession. This was followed by outside hackers and financially strapped employees. The latter are always of concern, especially in developing countries, but more so in a tough economy. In addition to money, employees who fear they will be laid off may steal sensitive data to help them land a job with a competitor.

SearchSecurity.com radio:

"Managing insider threats is difficult," Tim Shimeall, an analyst at Carnegie Mellon University's CERT Network Situational Awareness Group wrote in the report. "With more sophisticated technologies at their fingertips and increased access to data, it has become easier for current employees and other insiders, such as contractors, consultants, suppliers and vendors, to steal information."

The global economy notwithstanding, many companies are loath to store sensitive data in Pakistan, Russia and China. In addition to the usual concerns about workers in developing countries, respondents are concerned about Islamic fundamentalism in Pakistan, the Russian mob and industrial espionage in China. Twenty-six percent of the respondents avoided storing or processing data in China, 27% in Pakistan and 19% try to keep data out of Russia, the survey found.

"China is a large developing nation," Shimeall wrote in the report. "They are people [who are] rich, but not resource rich. They are eager to develop the economy. The cheapest way, not necessarily the ethical way, is to indulge in industrial espionage."

The report concludes that companies doing business abroad have got to adopt strong incident response procedures, think strategically about protecting information beyond the core enterprise, procure contracts with specific security requirements and tighten controls around current and fired employees access.

It's a new business world, and a more dangerous one for corporate information.

"It's a different kind of market, and that marketplace has evolved," said McAfee's Siegel. "There is an international trade where intellectual property is now a currency that can be traded and sold on an international level."

Tags: Enterprise Data Storage,  Information Security Risk Assessment: Methodology and Analysis,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition Information Security Risk Assessment: Methodology and Analysis Improving software with the Building Security in Maturity Model (BSIMM) Encryption basics: How asymmetric and symmetric encryption works Getting the most out of the gap analysis process Jericho Forum to provide customers with good security questions to ask A guide to internal and external network security auditing Insider threat detection still a challenge for employers Get more out of your security event log data Secure cloud computing: a contradiction in terms? Report: U.K. lags in information security management practices Aligning network security with business priorities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary