SOURCE: Ponemon Institute

April 22, 2008 09:35 ET

Ponemon Institute Study Exposes Dangers of Peer-to-Peer Networking to Enterprise Data Security

Risk of Confidential Data Disclosure via P2P File Sharing Not Understood by Users, Not Adequately Addressed by IT Security

TRAVERSE CITY, MI--(Marketwire - April 22, 2008) - A new study conducted by the Ponemon Institute, The Ignored Crisis in Data Security: P2P File Sharing, shows that IT security organizations within corporate enterprises lack an understanding of the risks posed by peer-to-peer (P2P) networks to confidential information, including intellectual property and the personally identifiable information (PII) of employees and customers.

The problem was illustrated in 2007 with P2P sourced data breaches at financial services firm ABN Amro and pharmaceutical giant Pfizer that exposed the PII of 5,000 and 17,000 individuals respectively. Again in 2007, the U.S. Congress held hearings to respond to the magnitude of sensitive files available on P2P file sharing networks and the arrest and conviction of a Seattle man who used P2P file sharing networks to obtain consumer information that was later used to commit ID theft and fraud illustrates the use of P2P for criminal activity.

"Every day, corporations and their trusted third parties make thousands of documents available to P2P file sharing networks which malicious individuals, organizations, and governments find and take action," said Robert Boback, CEO of Tiversa, sponsor of the study. "Current IT-based data security measures are not effective since 40-60% of confidential information on P2P file sharing networks originate from outside a corporation -- from virtual employees, outsourced suppliers, professional services firms, and customers. Firms can't secure what they don't monitor and manage."

According to The Ignored Crisis in Data Security: P2P File Sharing, the poor understanding of P2P's security risks to corporate data has resulted in lack of effective policies and preventative security measures to address information disclosures on P2P networks.

While 63 percent of survey respondents said their organizations forbid the use of P2P files sharing applications, 26 percent said they were unaware of any policies addressing P2P and only 5 percent of companies surveyed even monitor P2P networks for data loss. Other significant findings from the study include:

--  35 percent of respondents said use of P2P networks could not result in
    the inadvertent transfer and disclosure of documents residing on corporate
--  Only 25 percent of respondents said they were confident their
    company's data security procedures could prevent data compromise resulting
    from use of P2P networks; and,
--  The most likely data breach scenario involving P2P was attributed to a
    service provider's use of P2P networks (26 percent), followed by home
    computer use of P2P (16 percent), and P2P downloaded directly to a
    company's computers (12 percent).

"What we found as a result of this study is that there are many misconceptions about and very little appreciation about the actual risks posed to organizations through the use of P2P networks and, as a result, companies are not engaged in effective prevention or awareness of the issue," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "In fact, many of the measures we were told companies are taking to prevent data loss through P2P networks, such as firewalls, ID management, and monitoring of the World Wide Web, are completely ineffective against P2P files sharing disclosures."

The Ignored Crisis in Data Security: P2P File Sharing was conducted in February 2008 and derived from the responses of more than 750 senior information technology security professionals.

About the Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Tiversa

Tiversa™ is the world's leading provider of Peer-to-Peer Intelligence Services enabling corporations and government agencies to locate and stop the release of compromised confidential, sensitive, and classified information on global P2P File Sharing Networks. Requiring no software or hardware, Tiversa's systems monitor over 1.5 billion searches a day and over 450 million P2P nodes. Contact Tiversa at (724) 940-9030 or

Contact Information