New Research from Protiviti Provides Insight into Companies’ Strengths and Weaknesses in Managing Unprecedented Volumes of Data
Limited understanding about what differentiates “sensitive” information from other data creates information security and privacy risk for many businesses, new Protiviti study suggests
London – March, 22, 2012 – Companies have become highly proficient at collecting vast amounts of data, but many appear to be less savvy when it comes to how to classify and manage it, according to a new survey from Protiviti, a global consulting firm. Among key findings, the survey showed that IT executives and managers at nearly a quarter of organisations who participated in the study believe senior management at their firms has limited or no understanding of what comprises its “sensitive” data and information.
For the report titled The Current State of IT Security and Privacy Policies and Practices, more than 100 IT executives and professionals were asked to weigh in on how their organisations classify and manage the data they accumulate – specifically how they handle the security of sensitive data to ensure customer privacy as well as comply with regulations.
“Data explosion is becoming an increasingly big issue for many UK businesses. Many are struggling to manage the vast amount of information passing through the business, and lack the tools required to analyse it in a reasonable time frame, using conventional techniques. Organisations have made significant strides over the past decade integrating enterprise applications and collecting terabytes of valuable customer, supplier and employee data,” said Jonathan Wyatt, managing director and UK head of IT Consulting, Protiviti.
“However, our survey shows that many companies are holding onto more data than is practical and for longer time frames than necessary, which poses significant data security and privacy risks. There are many tools available for executives to significantly reduce legal exposures, while driving sensitive data management improvements and cost savings.”
Twenty-three percent of respondents said their senior management appears to have “limited or no understanding” of what comprises the “sensitive” data and information in their organisation. Only 26 percent believe their senior management has an “excellent” understanding of these differences. “This basic understanding of what constitutes ‘sensitive’ is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle ‑ from collection to destruction,” said Ryan Rubin, director and UK head of Protiviti’s IT Security and Privacy practice. “Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks. It is our view that data with different sensitivity needs to be treated differently from an information security perspective. In addition, knowing what to keep and what to purge also helps organisations avoid falling into a default process of saving ‘everything forever,’ which comes with its own costs and risks.”
Other findings include:
· While 69 percent of companies in the study report having a clear data classification policy to categorize information (sensitive, confidential, public, etc.), just 50 percent have a specific plan in place to perform the categorization, suggesting a possible gap in data management.
· A strong majority of companies surveyed are employing effective data leakage policies. Eighty-six percent have an acceptable use policy; 81 percent have a record retention/destruction policy; 75 percent have a written information security policy (WISP); and 65 percent have a data encryption policy. “Organisations with these kinds of data leakage policies in place considerably reduce their risk of substantial legal fines and reputation damage,” Wyatt said. “While laws vary from country to country, most allow for leniency if the organisation has two well-designed elements in place: data encryption and a WISP.”
· Nearly three out of four companies surveyed have a crisis response plan in place to respond to a data breach or hacking incident. However, 27 percent either don’t have or don’t know if they have such a policy. As demonstrated by the frequency of media reports of data breaches, a lack of a crisis response plan suggests companies are placing themselves at an unnecessary risk.
· Only two percent of organisations who participated in the study say their firms store sensitive information in the cloud, indicating that this migration may be moving more slowly than generally thought, at least in terms of storing sensitive data. Although this could also be due to a lack of awareness of what cloud services an organisation is using at all levels of the organisation. Most survey respondents (71 percent) said their companies use on-site servers for this purpose.
For more detailed survey results or to obtain a complimentary copy of the full report titled The Current State of IT Security and Privacy Policies and Practices, visit: www.protiviti.com/ITsecuritysurvey.
Additionally, Protiviti has produced a podcast that offers Managing Director Cal Slemp’s analysis and commentary on the findings in the survey. Please visit www.protiviti.com/podcasts to listen or download the podcast.
Methodology and Demographics
Protiviti conducted The Current State of IT Security and Privacy Policies and Practices Survey via an online questionnaire in Q4 2011 and the first quarter of 2012. Survey respondents came from a variety of industry sectors and included chief information officers; chief information security officers, chief security officers; IT audit vice presidents, directors and managers; and IT vice presidents, directors and managers. More than half of the participants work for publicly traded companies; the others come from private, government and nonprofit organisations.
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE® 1000 and Global 500 companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.