New Study: Unstructured Data Poses Huge Risk to Financial Institutions

It could be the draft of an important document that sits on the desktop of an employee's computer, or it could be the excel spreadsheet with sensitive information that an employee took home to work on, then copied onto their home PC. Documents such as these are hiding out in a financial institution as "unstructured data" and may pose a security problem -- including the potential for data breaches if not handled properly.

A new research report, "Survey on the Governance of Unstructured Data" by the Ponemon Institute, shows the need for financial institution to control access to unstructured company data. This term refers to electronic information such as spreadsheets, documents, presentations, multi-media files, blueprints or any data stored and accessed on file servers and Network Attached Storage (NAS) devices. The Ponemon Institute is a Traverse City, MI-based privacy and information management research firm (

Unstructured data comprises the vast majority of digital business assets, so ensuring that access is controlled and governed by business "need-to-know" is imperative, says Dr. Larry Ponemon, Chairman of the Ponemon Institute. The rate that unstructured data is being created means the challenge of managing and protecting it will not only grow, but become exponentially more difficult. Of the organizations polled, 84% say their unstructured data is accessible by people with no business need for access.

"A lot of this data may never be used -- it's like clutter in a house -- so a financial institution needs to decide how to handle this type of data and decide what it really needs," Ponemon explains. Most people polled in the survey generally acknowledge that this is a problem in their organization. "It's not the smoking gun or proof positive, but now that we asked about it, it shows they haven't thought about it before, and there's a lot of uncertainty about it," Ponemon notes.

This is shown in responses from the 870 respondents who work in IT operations in a wide variety of industries, including financial services, which comprise 20% of all respondents. Respondents average 10 years of IT and business experience.

Financial services companies are potentially most at risk because they may lack a governance process for handling unstructured data, and unstructured data represents a very large percentage of their total data, Ponemon observes. Results from the survey show financial services have the largest percentage of unstructured data of the different industries studied -- more than health services and government.

Most institutions don't have a record retention process for unstructured data that is equivalent to what they have on the structured side, mainly because it's too difficult, Ponemon says. "This is an issue that is not solved with smart people and controls and procedures. Institutions almost need to have enabling technologies to help solve this problem because it's everywhere and there is so much of it."

Additional key findings:

91 percent of businesses lack a process for determining data ownership, and 76 percent can't determine who can access unstructured data;
61 percent of businesses do not have a process for monitoring which users are accessing unstructured data;
84 percent of respondents believe controlling unstructured data access will remain important or get more important within their organization in the next two years;
77 percent of respondents note that automating the process of managing unstructured data is currently lacking, with the same amount indicating that they would like to evaluate such a solution.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.