Companies still need to get their data security houses in order
In an era when cyber security threats are more common than ever, organizations continue to struggle to manage data securely, prepare for potential crisis scenarios, and defend against hacking and other cyber threats, according to findings from the 2014 IT Security and Privacy Survey (www.protiviti.com/ITsecuritysurvey) conducted by global consulting firm Protiviti (www.protiviti.com).
"Our survey results tell a story of gaps between where companies currently stand and where they should be in relation to fundamental elements of IT security. Some progress has been made since our last survey, yet many organizations still fall short of important standard protocols for IT security and privacy," said Cal Slemp, managing director with Protiviti and global leader of the firm's IT security and privacy practice. "Companies need to take more action in relation to the risks they recognize to better protect their crucial data."
Key Survey Findings
The overarching findings from this year's results are tied predominantly to five major themes that suggest companies still need to make further improvements to their IT security and privacy practices.
Organizations lack high confidence in their ability to prevent a cyber attack or data breach. While executive management has a higher level of awareness when it comes to the organization's information security exposures, lower confidence levels among IT executives and professionals in preventing an attack or breach likely speak to the creativity of cyber-attackers and the inevitability of a breach – and the need for strong incident response planning and execution.
Companies are not properly preparing for crisis scenarios. There is a significant year-over-year jump in the number of organizations without a formal and documented crisis response plan to execute in the event of a data breach or cyber attack.
There is a correlation between board engagement and stronger IT security profiles. Nearly three out of four boards have a good level of understanding about the organization's information security risks, according to survey results. Organizations whose boards are concerned with how the organization is addressing its risks, have significantly stronger IT security profiles. On the other hand, one in five boards appears to have a low level of engagement in how the company is addressing information security risks. "With greater market sensitivity to information security issues as well as a rise in associated legal requirements, we would expect board interest to be even higher in most organizations," said Slemp.
Companies do not have proper "core" data policies. One in three companies does not have a written information security policy (WISP). More than 40 percent lack a data encryption policy. One in four do not have acceptable use or record retention/destruction policies. These are critical gaps in data governance and management, and they carry considerable legal implications.
Not all data is equal. The percentage of organizations that retain all data and records has more than doubled – not necessarily a positive development. In addition, a relatively large number of organizations do not prioritize data that is processed and governed with a data classification schema. Even fewer companies appear to prioritize data that is highly regulated, including PCI (payment card industry) and healthcare-related information.
Some Positive Results
The survey shows that CIOs and CSOs are more engaged in taking on the primary responsibility for security policies than in prior years. Also, companies are becoming more aware of their data lifecycle – where and how long their data is stored. Of note, only a small number of organizations are moving their sensitive data into the cloud despite news stories and industry conjecture to the contrary.
Webinar and Additional Resources Explore Survey Results Further
The third edition of Protiviti's IT Security and Privacy Survey gathered insights from more than 340 CIOs, CSOs, IT directors, managers and IT auditors at companies with gross annual revenues ranging from less than $100 million to greater than $20 billion.
