Varonis welcomes PwC economic crime report, but cautions on data awareness issues
December 2011 by Varonis
Varonis Systems Inc has welcomed the publication of PricewaterhouseCooper’s global economic crime survey 2011, but cautions that - in order to report economic fraud to the relevant authorities - companies must be aware that a fraud has taken place.
According to David Gibson, Varonis’ director of technical services, as the results of a survey at the IP Expo event in London in October - which found that 57 per cent of those contacted said that unstructured data is their biggest security headache (http://bit.ly/vmZPqf) - clearly show, tracking the flow of unstructured data is a very difficult exercise.
"And it’s for this reason that, whilst we welcome this report from PricewaterhouseCooper - which gives companies a clearer view of the economic and cybercrime threats against their assets - we remain concerned that many large companies have grave difficulties knowing what is happening to their digital assets at all times, and thus making informed decisions about their protection and management." he said.
"I think it is interesting that the report notes more UK respondents (33 per cent) as seeing cybersecurity as the responsibility of their CEO and board, even though our observations suggest that those same CEOs and board members place a high degree of reliance on the information that flows from their IT security department," he added.
And, Gibson went on to say, the IT security manager and his team in turn rely on the data flowing from their security applications to assess the potential for data theft and allied frauds.
The problem here, he explained, is that, whilst conventional IT security systems can monitor - complete with the required audit logs - the structured data on the company’s IT systems, these systems rarely fully extend to unstructured data, which is typically stored on file shares, NAS devices, and email.
The Varonis director of technical services went on to say that the PwC report also reveals senior executives within corporates do not seem to be regularly reviewing their cybercrime risks.
This is clearly illustrated, he says, by the fact that only 20 per cent of respondents said their CEO and the board review these risks on an ad hoc basis.
The really big question that remains unanswered here, he adds, is how on earth can the CEO and board review their security risks when the information flow from the their security staff does not paint the whole picture on what is happening to the company’s data?
"Even though the PwC UK report notes that three quarters of respondents who experienced an economic crime in the last 12 months reported the incident to a law enforcement agency - and almost a third also reported it to regulators - our conclusions are that, if the company itself is not applying best practice principles to all of its data, then it cannot be aware of the full picture," he said.
"This is especially concerning against the backdrop of the report noting that the number of incidents of fraud are on the rise (figure 12 in the UK analysis), as it means the problem of data security in large organisations will only get worse," he added.
"So whilst we welcome this UK analysis from PwC, we cannot help feeling that it leaves a large number of questions about company data unanswered. Without a complete picture of their data - and what is happening to it - even the best CEO cannot make informed strategy decisions."