Study Finds Vast Majority of Data Breaches Involve Unprotected Confidential Information on Off-Network Devices

On August 7, financial services firm Merrill Lynch reported the theft of a laptop computer from its New Jersey corporate office -- a computer containing sensitive personal and financial information, including Social Security numbers, for 33,000 of its employees. Such breaches of confidential information have become routine news for one simple reason: though sparing no expense to guard the security of their networks, corporations often fail to protect data on devices that are disconnected from the network.

According to a new study by the Ponemon Institute, 73 percent of corporations experienced the loss or theft of a data-bearing asset in the last 24 months, yet those same organizations report limited efforts to manage this vulnerability.

Among the National Survey: The Insecurity of Off-Network Security's significant results:

• 62 percent of study respondents confirm or are unsure if their off-network equipment contains unprotected sensitive or confidential information
• Yet 39 percent do not view the management of off-network data bearing equipment a critical component to security;
• 70 percent of data breaches result from the loss of off-network equipment; and,
• 30 percent say they would never detect the loss or theft of confidential data from off-network equipment.

"Protecting data that is stored on devices outside the confines and control of the corporate network is a problem for which many companies simply do not have a solution," Ponemon said. "Our research shows that, while most companies recognize the risk off-network data poses, few seem to have a grasp on how to manage the many challenges off-network data present to maintaining a strong data security program, and many do not even have a policy to address the situation."

"The cost of a security breach is astronomical, whether it occurs over the network or results from lost or stolen off-network assets," Houghton said. "The results of this study should alarm CEOs who have customer or employee information, and a brand to protect. After years of effort to establish secure computing, many companies are neglecting this very basic risk."