Most organisations are failing to apply simple data protection standards and, in many cases, are unaware of what security practices are currently in place, a study has revealed.
Almost two-thirds of organisations are failing to encrypt data in the cloud, according to a joint study by information security research firm Echelon One and key and certificate management firm Venafi.
The study ranks more than 400 enterprise and government agency organisations in terms of 12 security and compliance best practices.
The respondents completed an online self-assessment, which Venafi and Echelon One have made available for all organisation to use as a benchmarking tool.
"The assessment findings were startling. We suspected we would find that many organisations were challenged, but we had no idea that failure rates would run this high," said Bob West, chief executive of Echelon One.
The results of the study and the self-assessment guide will help organisations to see where they rank in comparison with peers, determine where weaknesses exist and identify steps they can take to reduce security and compliance risks, he said.
The study highlights that 77% of organisations polled are not performing quarterly security and compliance training, 64% are failing to encrypt all cloud data and transactions, 10% are not using encryption throughout the organisation, 55% do not have management processes in place to ensure business continuity in the event of a Certificate Authority (CA) compromise, and 82% are not rotating secure shell (SSH) keys every 12 months.
The assessment further revealed that almost 100% of organisations polled had some degree of unquantified or unmanaged risk.
When asked if their organisations encrypted data stored in public clouds such as Google Apps, Salesforce.com and Dropbox, 40% of respondents did not know, 41% did not know how often critical encryption assets such as SSH keys were rotated, and 10% did not know if their organisations were using encryption keys and certificates for data security and system authentication.
The biggest security struggle organisations face today is managing the unknown or unquantified and unmanaged risks, said Jeff Hudson, chief executive of Venafi.
"Your best security assets can easily turn into liabilities if not managed properly. If this assessment demonstrates anything, it is that IT and security departments must gain greater visibility over all of their security and compliance activities, and take steps to better understand and manage them," he said.
Other findings include:
56% do not use the recommended encryption key lengths
20% do not know the length of encryption keys deployed
30% do not encrypt data types that should be encrypted
9% do not know what data types they encrypt
31% do not or do not know if their organisations have separation of duties for administrative access to encryption keys
45% are not managing all processes
32% of organisations are performing security and risk assessments too infrequently
16% do not know when the last security and risk programme assessment was conducted