Nov 14, 2008, By Hilton Collins in Government Technology
Personal information about employees is more than twice as likely to be compromised in government security breaches than is constituent data, according to an online survey released by consulting firm PricewaterhouseCoopers (PwC). The survey also found that most governments don't keep accurate inventories of where their data is stored in their organization.
PwC, in partnership with CIO and CSO magazines, conducted the Global State of Information Security 2008 survey from March 25 to June 26, 2008. It included more than 7,000 CEOs, chief financial officers, CIOs, chief security officers and other high-level respondents from 119 countries via e-mail. Five hundred fifty-three came from the public sector, but PwC would not disclose how many came from U.S. government.
Forty-two percent of the public-sector respondents reported that employee data was more likely to be impacted by security breaches than constituent data. Only 19 percent reported otherwise.
"My sense is that businesses, first and foremost, place priority on protecting their business information, which is the lifeblood of their organization," said Jack Johnson, a partner in the Washington federal practice at PwC. Johnson has previously been the chief security officer for the U.S. Department of Homeland Security, a position he held from 2003 until 2005. He was appointed by then-Homeland Security Secretary Tom Ridge. "It's not because they don't place a level of importance on employee data, but I think their priority is focused on their business information."
In his experience, more security controls are usually placed around business data than around employee data, so it's possible the path to employee data may be the one of least resistance for malicious hackers.
Other data from public-sector respondents indicates:
• 65 percent reported that their organizations didn't have accurate inventories of where personal data was collected, transmitted and stored;
• 76 percent reported that they didn't keep an inventory of third parties who handle constituent data when data sharing occurred, and 47 percent had established security baselines for external parties when handling such data;
• 70 percent believed that their users complied with privacy and information security policies, but 50 percent didn't audit or monitor the compliance, and 46 percent required employees to complete training on privacy practices.
"The organization, first and foremost, needs to perform a risk assessment around this data to determine which data is considered sensitive, or, in some cases, personally identifiable information," Johnson said. Once sensitivity and importance of data is assessed, organizations can proceed more coherently with protection in mind.
The report recommends that organizations take the following security actions:
1. Prioritize data and information assets according to risk level continuously - 27 percent of respondents said they did, 40 percent said periodically and 31 percent not at all.
2. Extend privacy protections to employee data, not just constituent data.
3. Establish a "culture of compliance" to ensure that employees adhere to organizational security protocols.
4. Develop an incident response plan to determine how to handle data breaches when they occur - 53 percent of respondents said their security policies didn't address incident response.
The report also had some good news - governments have improved in their information security efforts from two years ago.
• 65 percent of respondents had an overall information security strategy versus 42 percent in 2006.
• 75 percent employed a chief information security officer or a chief security officer, versus 56 percent in 2006.
• 72 percent leveraged secure remote access (VPN) vs. 61 percent in 2006. In a VPN, or virtual private network, security measures like encryption ensure that only authorized users can access the network