The study was carried out by management consultants Deloitte & Touche LLP, and researchers questioned companies from all parts of the world. According to the analysis, many of the companies' approaches to security had failed to keep pace with changing business practices, possibly exposing the organisations to data leakage from internal staff and business partners.
The respondents were drawn from three main sectors: life sciences (biotechnology and pharmaceutical), healthcare providers and healthcare payers.
In the life sciences sector, 44% of the surveyed companies did not have a chief information security officer, or CISO, in place to oversee an organisation's security posture. Among healthcare payers, the figure was even higher, at 57%.
As the report points out: "Biotech and pharmaceutical companies face greater security risks than the other two sectors, given the tremendous value of their intellectual property and the amount of clinical trial information that they generate, as well as the risks associated with data sharing necessitated by partnerships and alliances."
But all three sectors are saddled with what the report authors describe as "traditional thinking," which reflects a time when systems were more self-contained and easier to protect. Although the companies have embraced outsourcing and greater data sharing with third parties, their security posture has failed to reflect those changes.
The report notes that, while only a small percentage of companies currently have data leakage prevention technology in place, most said they will deploy it over the next 12 months. This sudden rush, it claims, indicates a reactive approach and appears to be as a result of some high-profile data breaches, particularly in the U.S.
According to the report, as the business and regulatory environment of the industry evolves, the CISO needs to take on a more strategic role. In 43% of the companies that had a CISO, that person reported to the chief information officer, or CIO. In this kind of relationship, the CISO tends to be responsible for technology, but has less influence over the way information is managed. The authors of the report describe the discovery as "a disturbing statistic, since a strong level of preparedness to meet current and future security and privacy requirements is a direct corollary to the existence of an appropriately positioned and empowered CISO."