Organisations failing to get a handle on location of sensitive data, study finds

Out-Law News | 25 Jun 2014 | 4:59 pm | 1 min. read

Most organisations do not know where both structured and unstructured commercially sensitive data is stored within their IT infrastructure, according to new research by the Ponemon Institute.

A survey of more than 1,500 IT and IT security professionals based around the world found that just 16% of organisations know where all their sensitive structured data is located. Nearly a quarter of respondents (24%) do not know where that information is and 60% said they only have "limited knowledge" of its location.

Fewer than one in ten organisations (7%) know where all their unstructured sensitive data resides, data integration software provider Informatica which sponsored the Ponemon study reported. Just over half of the respondents (52%) said they had limited knowledge of the unstructured data's location but 41% said they did not know where the information resides.

The most common concern highlighted by the IT and IT security professionals that participated in the survey was not knowing where sensitive data is stored.

According to the survey, only 26% of organisations are confident they can detect data breaches involving structured data, with only 12% confident of identifying a breach of unstructured data. More than half of respondents said that either better data security technology, better skilled staff or more automated processes and controls could help them avoid data breaches.

Classifying data as sensitive is the most common measure used to protect structured data, according to the study, whilst 62% of respondents said their organisation uses "application-level access controls" to protect such information.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that the organisations that bring systematic classification to their data can help them to meet regulatory requirements.

"European data protection rules are generally principles based, unlike the more rules-based legislative approaches used in some other jurisdictions such as the US, and for this reason some organisations struggle to 'operationalise' their data protection – to develop and implement practical controls to help them safeguard data in their possession or control," Dautlich said. "A good data classification policy is a good start to achieving this objective."