If 90% of U.S. companies are falling victim to computer hackers, according to a new Ponemon Institute study, is it that the companies are woefully unprepared or are the hackers are particularly smart? Looks like this one is on the companies.

hacking.jpgA research center dedicated to privacy and data protection, Ponemon looked at 583 U.S. companies and concluded that data breaches are “almost a statistical certainty.”

Most companies say there’s little they can do about it. That includes big names such as security firm RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.  Tech departments blame financial resources and complexity of networks as top reasons for breaches. Nearly two-thirds of the attacks resulted in losses anywhere from $250,000 to $2.5 million

But dig deeper and the numbers tell a story about risk that could be better managed.  Most companies are already running a firewall on their network and have anti-virus and anti-malware installed in their employees’ computers.  The problem is, the study found that 63% of breaches occurred from unsecured employee devices – laptops and mobile phones.  The vast majority of threats originate from website and social media malware and malicious software downloads.

Either the companies’ anti-virus software is outdated, or employees allow themselves to be too liberal with what they download.

This therefore looks like a training problem. Employees, and not just the IT department, should be aware of how to start lessening the risk.

  • If attacks are coming in from laptops and mobile devices (smartphones, tablets, etc.), it’s time to implement a new policy on how employees connect to the network or enterprise systems when out of the office.  The days of living one’s personal life on a company-owned device may have to come to an end.
  • Only 30% of companies report the use of encryption, while citing theft of information assets as their top concern. An encryption policy seems like a no-brainer. Data theft is a lot easier to tolerate when to the thieves it appears as a meaningless mishmash that would take sophisticated computers days or weeks to decrypt. The thing about encryption, though, is that you have to use it. If it’s turned off or if your password is your birthday or the name of your dog, it won’t help you.