Date post: | 29-Dec-2015 |
Category: |
Documents |
Upload: | logan-hill |
View: | 216 times |
Download: | 0 times |
Ponemon Institute© Private & Confidential Document Page 1
Recent Research on Privacy, Trust and Data Protection
The Privacy Symposium at Harvard UniversityDr. Larry Ponemon, Chairman
Ponemon Institute LLC
August 22, 2007
Ponemon Institute© Private & Confidential Document Page 2
Ponemon Institute LLC
The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and government.
The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey Research Organizations. Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
The Institute has assembled more than 50 leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
The majority of active participants are privacy leaders (CPOs).
Ponemon Institute© Private & Confidential Document Page 3
Proposed Agenda
What is privacy trust?
What does recent research tell us?
Scott & Scott – business impact of data breach
Redemtech – debut today of newest study on off-
network security
Ponemon – Is desktop safe
Implications, privacy and the public’s trust
Questions
Ponemon Institute© Private & Confidential Document Page 4
How the World Looks at Privacy
• Based on over 100 studies conducted between 2003 and 2006, we compiled the following distribution for adult-aged individuals in 16 countries with respect to their preferences for privacy:
– About 12% of the public appear to be privacy-centric. Events that minimize their sense of privacy or diminish the safety of their sensitive personal information will have a significant impact on behavior.
– About 68% of the public appear to be privacy-sensitive. While they say that privacy is important to them, it will not change their behaviors or information sharing practices.
– About 21% of the public appear to be privacy-complacent. They really don’t care very much about the sharing or selling of their most sensitive personal information, such as Social Security number or Country ID.
Ponemon Institute© Private & Confidential Document Page 5
Distribution of the Public by Four Geographic Regions
How the World Looks at Privacy
8%15%
5%
18%
73%
62%70% 67%
19%23% 25%
15%
0%
20%
40%
60%
80%
North America EMEA Asia Latin America
Privacy Centric Privacy Sensitive Privacy Complacent
Ponemon Institute© Private & Confidential Document Page 6
What is Privacy Trust? A process for engendering trust and confidence in how an organization’s
leaders, employees, agents and contractors handle, manage, retain
and secure private information about people and our families.
Privacy trust requires an organization to ensure that actual practices are
aligned with the perceptions of key stakeholders such as customers,
consumers and employees.
The key components of privacy trust include: disclosure and notice,
choice or consent, good security measures, reasonable access rights
and data quality (accuracy).
Ponemon Institute© Private & Confidential Document Page 7
How Does Privacy Increase Corporate Value?
Good privacy creates real value to organizations because it promotes the trust of stakeholders such as customers, employees and business partners.
Beyond perception, privacy practices create real economic benefits in terms of:
Reducing operating inefficiencies
Improving information flows about people
Increasing brand or marketplace image
Decreasing risk of regulatory action, fines and lawsuits
Cost and ROI metrics can be developed that demonstrate the full value of good privacy practices in corporations and governmental entities.
Starting point: need to understand what the public (consumers) thinks – or, what do they care about?
Ponemon Institute© Private & Confidential Document Page 8
Business Impact of a Data Breach
Study released in May 2007
Sponsored by Scott & Scott, LLP
Ponemon Institute© Private & Confidential Document Page 9
About the study
Sample of 702 IT and IT security practitioners in US companies
Following are the key questions in our inaugural study:• Are organizations prepared to respond to the breach and what do
they consider the most important actions to take?• Do they measure the cost of the breach to their organization?• What causes data breach incidents?• How has the breach affected an organization’s strategy for
preventing a breach?• What are the differences in approaches to the prevention and
detection of a data breach between organizations that have experienced a breach and organizations that have not had a data breach?
Ponemon Institute© Private & Confidential Document Page 10
85% of respondents’ companies experienced a breach incident
Bar Chart 1Data breach statistics for the present sample
85%
81%
78%79%80%81%82%83%84%85%86%
Companies experiencing the loss of personalinformation
Companies required to notify breach victims
Ponemon Institute© Private & Confidential Document Page 11
42% of data breaches occurred because of missing devices such as a laptop computers
Bar Chart 2Probable cause of the data breach event
4%
6%
6%
7%
10%
16%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Missing backup media
Malicious employees
Criminal activity
IT mishaps
Negligent third parties
Negligent employees
Missing devices
Ponemon Institute© Private & Confidential Document Page 12
What technologies are not being deployed to remedy future
breaches?Bar Chart 3
What organizations are not deploying after data breach
46%
46%
63%
63%
65%
65%
73%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Encryption solutions
Conducting training
Hiring outside counsel
Controlling system disposal
Identity & access management
Controlling endpoints
Event management tools
Ponemon Institute© Private & Confidential Document Page 13
57% did not have an incident response plan in place when the
breach happened
Bar Chart 4Did you have an incident plan before the breach?
57%
77%
0%
20%
40%
60%
80%
100%
Did not have an incident response plan Did not engage outside legal counsel to draft orreview plan
Ponemon Institute© Private & Confidential Document Page 14
Notification strategy37% over-report
Bar Chart 7Who needs to be notified?
37% 36%
14%
0%5%
10%15%20%25%30%35%40%
Notify everyone (over-report) Careful assessment beforenotifying
Notify only after absoluteconfirmation of harm
Ponemon Institute© Private & Confidential Document Page 15
Majority of respondents do not believe that breach victims suffer monetary damages
Bar Chart 8What percentage of breach victims experienced monetary damanges?
50%
20%
11%
0%
10%
20%
30%
40%
50%
60%
0% (no monetary damages) Betw een 1 to 2% Betw een 2 to 4%
Ponemon Institute© Private & Confidential Document Page 16
National Survey: The Insecurity of Off-Network
Security
Study released today (August 2007)
Sponsored by Redemtech
Ponemon Institute© Private & Confidential Document Page 17
About the study• Sponsored by Redemtech, Ponemon Institute independently conducted this study to
better understand how business and government organizations are securing confidential data on off-network electronic equipment.
• Our national survey queried 735 respondents who are employed in corporate information technology (IT) departments within U.S.-based business or governmental organizations. Our survey focused on the following four key issues:
– How important is it for an organization to control data on electronic devices that are off-network?
– What controls or procedures do organizations have in place to secure off-network data-bearing equipment or devices?
– How rigorous is the enforcement of policies and procedures to protect confidential off-network data?
– What are the primary causes for the theft or loss of data on electronic devices that are off-network?
– Is an organization’s confidential data as much at risk off-network as when it is on-network?
Ponemon Institute© Private & Confidential Document Page 18
About the study
• Off-Network electronic equipment – includes all data-bearing devices that
are disconnected from your organization’s system or network for various
reasons, such as for relocation, repair or disposition.
• Electronic equipment includes data-bearing servers, desktop and laptop
computers, PDAs or other portable storage devices. Off-network includes
equipment that is idle; not actively in use or in storage. The term also
applies to equipment being moved; for transition to another user or being
sent for repair, refurbishment, reconfiguration, redeployment, return on
lease, or retirement (disposal).
Ponemon Institute© Private & Confidential Document Page 19
Sample of respondents
Pie Chart 1: Sample distribution by industry sector
Financial services19%
Government19%
Financial services
Government
Other
Technology & Software
Defense
Telecom, Cable & Wireless
Health Care
P rofessional Services
Transportation
Retailing
Education
Hospitality & Leisure
Manufacturing
Entertainment and Media
Internet & ISP s
P harmaceuticals
Energy
Ponemon Institute© Private & Confidential Document Page 20
Attitudes
Bar Chart 1Pre/post survey questions on the state of off-network security
Percentages show adjusted responses to a f ive-point scale ranging from strongly agree to strongly disagree
61%62% 62%
59% 59%
67%
62%
68%
62%
68%
52%
54%
56%
58%
60%
62%
64%
66%
68%
70%
Off-netw ork security isnot a priority
Off-netw ork deviceshave unprotected
sensitive data
Off-netw ork controlsare not rigorous
Resources areinadequate
Confidence in controlsto prevent data loss
Pre-survey Post-survey
Ponemon Institute© Private & Confidential Document Page 21
Data breach experience
Bar Chart 2Data breach experience of survey respondents
73%
42%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Experienced a loss of data-bearing equipment Loss involved sensitive or confidential data
Ponemon Institute© Private & Confidential Document Page 22
Off-network data loss
Bar Chart 3Data loss or theft involving on and off-network data-bearing devices
27% 26%
44%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Data storage w as on-netw ork Data storage w as off-netw ork Both on and off-netw ork
Ponemon Institute© Private & Confidential Document Page 23
Most likely causes
Bar Chart 4The most likely causes of the loss or theft of off-network data-bearing devices
27%
24%
19%
9%
7%
0%
5%
10%
15%
20%
25%
30%
Non-compliance w ithpolicy
Negligence Lack of policies Malicious insiders Crime/theft
Ponemon Institute© Private & Confidential Document Page 24
Devices lostBar Chart 5
Off-network devices involved in a data breach
4%
9%
11%
13%
13%
29%
29%
39%
60%
67%
68%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Printers & fax
Routers
External storage
Copying machines
Zip drives
Desktops
Backup media
Servers
Flash drives
PDAs
Laptops
Ponemon Institute© Private & Confidential Document Page 25
Security steps
Bar Chart 6Steps taken to secure data on off-network devices
13%
13%
15%
16%
25%
41%
55%
63%
64%
0% 10% 20% 30% 40% 50% 60% 70%
Engage an outside company
Physically destroy equipment
Degauss hard drives
Physically destroy drives
Encrypt data at rest
Control custody (lockdow n)
Control custody in transit
Reset system passw ords
Clean (w ipe) devices
Ponemon Institute© Private & Confidential Document Page 26
Is policy enforced?
Bar Chart 8Existence of an off-network security policy or SOP that is strictly enforced
86%
26%
0%
10%
20%
30%
40%50%
60%
70%
80%
90%
100%
Have off-netw ork security policy Have policy that is strictly enforced
Ponemon Institute© Private & Confidential Document Page 27
How long will it take to detect data loss?
Bar Chart 9How quickly will the loss or theft of an off-network device be detected?
15%
7%
15%
12%
13%
8%
30%
0% 5% 10% 15% 20% 25% 30% 35%
Immediately
Within 2 hours
Within 1 day
Within 1 w eek
Within 1 month
More than 1 month
Never
Ponemon Institute© Private & Confidential Document Page 28
Is Desktop Search Safe?
Study released in July 2007
Ponemon Institute© Private & Confidential Document Page 29
Background
• Security researcher Robert Hansen recently published details of a man-in-the-middle attack against Google’s Desktop, which places an attacker between Google and someone launching a desktop search query. From this position, the attacker is able to manipulate the search results and possibly take control of or install other programs on the desktop. According to Hansen, this drives home the point “that deep integration between the desktop and the Web is not a good idea.“
• A security research firm named Watchfire identified a cross-site scripting vulnerability that would allow an attacker to place malicious code on a Google Desktop user's computer and possibly to take full control of the computer. Google says that it fixed this particular flaw.
Ponemon Institute© Private & Confidential Document Page 30
Survey
• Our Web based study was conducted between June 8 and June 12,
2007.
• Our national sampling frame included adult-aged respondents (≥ 18
years) who are in corporate IT or IT security.
• In total, people who reside in the United States received an
invitation to participate. This resulted in 1,268 individuals
responding (with approimxately a 5.4% response rate).
• About 60% of respondents said they were aware of this
controversey. Only this sub-sample were asked to take the survey
the remaining survey questions.
Ponemon Institute© Private & Confidential Document Page 31
Do you agree with Hansen?
Do you agree with Hansen that such integration creates a security problem for Google Desktop?
66%
6%9%
19%
0%
10%
20%
30%
40%
50%
60%
70%
Yes No Unsure I’m not qualified toanswer
Ponemon Institute© Private & Confidential Document Page 32
Is the problem resolved?In your opinion, does that mean Google resolved this problem or is Google Desktop
still vulnerable to new cross-site scripting attacks?
18%
71%
11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
I believe that Google is no longervulnerable to new cross-site
scripting attacks
I believe that Google’s desktop isstill vulnerable to new cross-site
scripting attacks
Unsure
Ponemon Institute© Private & Confidential Document Page 33
Does antivirus software fix the problem?
Do you believe that antivirus software detects and defends computers against these cross-site scripting attacks or are Google Desktop users exposed to these
attacks even if they keep their antivirus software up-to-date?
31%
56%
12%
0%
10%
20%
30%
40%
50%
60%
I believe antivirus software mostlikely defends computers against
such attacks
I believe antivirus software mostlikely does not defend computers
against such attacks
Unsure
Ponemon Institute© Private & Confidential Document Page 34
What should users do?
For enterprise users including government agencies, does this transfer of data outside the enterprise create an unacceptable security risk?
74%
16%
11%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Yes No Unsure
Ponemon Institute© Private & Confidential Document Page 35
What should users do?In your opinion, should users with confidential or legally protected data such as
legal, medical or educational records avoid using Google Desktop with this “search across computers” functionality?
83%
10%6%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Yes No Unsure
Ponemon Institute© Private & Confidential Document Page 36
What can we learn from this jumble of findings?
Privacy matters. Take steps to implement responsible information management practices across the enterprise for all data subjects.
Technology makes a difference. Take stock in new enabling technologies that help protect personal information such as data leak prevention and encryption solutions.
Human factor is important. One of the top privacy risks concern negligent or incompetent employees (a.k.a. the Insider Threat). Make sure employees, temporary employees and contractors understand good privacy and data protection practices. Also, take steps to vigorously monitor behaviors that push the limits of the company’s policies or SOPs.
Understand the law. Privacy requirements vary by state, industry sector and nation. You need to understand how legal requirements impact the company’s information technology requirements. Responsible information management requires more than an adequate level of compliance.
Ponemon Institute© Private & Confidential Document Page 37
Questions?
Dr. Larry PonemonPonemon Institute LLC
www.ponemon.orgTel: 231.938.9900
Toll Free: 800.887.3118New Michigan HQ: 2308 US 31 N. Traverse City, MI 49686