We’ve got some fresh stats and trends to share from data that we collected at the recent RSA Security Conference.  Many thanks to the “statistically significant” number of people that took the time to fill out our survey questionnaire.

Our survey results highlight some major security and compliance concerns for businesses – information security, visibility and policy enforcement remain a major problem in 2011.  Here are a few key data points:

  • 65% have no visibility into files and data leaving their organization
  • >80% use easily lost or stolen portable devices like USB drives and smartphones to move and backup confidential work files
  • >75% send classified documents as email attachments – including payroll, customer data and financial information
  • >25% percent have purposely used a personal email account (like yahoo or hotmail or gmail) instead of their work accounts as a way to hide their file transfer activity
  • 55 percent said their companies provide – but do not enforce – policies and tools around sharing sensitive information

The fact that so many companies admittedly lack visibility into the files and documents that are moving around and leaving their organization is pretty scary.  How can an organization protect information that they don’t know even exists?  Clearly, increased focus is needed to first identifying sensitive data and then protecting it – These critical information security components should be carefully baked into an organizations security, governance and compliance initiatives.

Lastly, I’d like to vent on the last data point for a minute.  Policy creation simply isn’t enough…. the enforcement of that policy is the critical step.  Writing down a policy but not enforcing it is just as risky as not having documented the policy in the first place. Creating the policy is a good start, but please please please don’t stop there.

I’ve been sitting on some startling statistics for a couple weeks now, and it has been hard to keep my fingers quiet… But today is the day Ipswitch is sharing them with the world.  Here are a few key takeaways from the survey that Ipswitch conducted at the recent InfoSecurity Europe 2010 show in London.

40% of IT professionals surveyed admitted to sending sensitive or confidential information through personal email accounts as a way to eliminate the audit trail of what they sent and to whom.

Forty percent!

Let’s be clear:  Almost half of IT professionals use their personal email as a way to send sensitive company files while hiding their activity from company auditing and reporting.  Yikes, that’s a major security and compliance breach!

But wait, there’s more:

69% said that they send classified information, such as payroll, customer data and financial information, over email (with no security) at least once a month;  34% said they do it daily.

IT folks seem to be swayed by a similar set of drivers that as other worker bees – Namely, speed, convenience and the ability to send large files without the hassle.

This leaves us with an environment where IT professionals are:
(1)    Feeling the same pains as their end users
(2)    Smart enough to sidestep the very security and governance policies put in place
(3)    Deliberately break company policy and controls as a way to hide what they are doing

And just establishing a file transfer policy isn’t enough.  While 62% of organizations have file sharing policies in place, many don’t have the means or tactics in place to enforce them.  Despite increasingly strict governance and compliance mandates, 72 percent of respondents said that their organizations lack visibility into files moving both internally and externally.

Organizations that lack true visibility, management and controls around sensitive information now find themselves wide open to all kinds of risks, namely data breaches and compliance.  The fact that risk contributors include those tasked with protecting IT networks in the first place, and that it’s being done on a premeditated and recurring basis, just brings the whole situation to an entirely different level of ugly.  Try explaining THAT to an eDiscovery judge!