Organisations are still struggling to manage data securely, prepare for potential crisis scenarios, and defend against hacking and other cyber threats, a report shows.
This lack of confidence among IT professionals, despite a high level of awareness of security risks by executives, underlines the need for strong incident response planning and execution, the report said.
The report highlights a significant year-over-year jump in the number of organisations without a formal and documented crisis response plan. This has gone from 12% in 2012 to 21% in 2013.
“Our survey results tell a story of gaps between where companies currently stand and where they should be in relation to fundamental elements of IT security,” said Ryan Rubin, Protiviti managing director and UK leader of the firm's IT security and privacy practice.
“Some progress has been made since our last survey, yet many organisations still fall short of important standard protocols for IT security and privacy,” he said.
There is a correlation between board engagement and stronger IT security profiles, the report said, with nearly three out of four boards having a good level of understanding of information security risks.
Organisations whose boards are concerned with how the organisation is addressing its risks, have significantly stronger IT security profiles, the survey found.
But one in five boards report a low level of engagement in how the company is addressing information security risks.
More on data management
“With greater market sensitivity to information security issues, as well as a rise in associated legal requirements, we would expect board interest to be even higher in most organisations,” said Rubin.
The survey revealed that companies do not have proper “core” data policies. A third of companies do not have a written information security policy and more than 40% lack a data encryption policy.
A quarter do not have acceptable use or record retention/destruction policies. “These are critical gaps in data governance and management, and they carry considerable legal implications,” the report said.
The survey found that the percentage of organisations that retain all data and records is 47%, up from 29% in 2012, while just 44% of organisations reported some form of data classification schema, down from 63% in 2012.
However, the survey shows chief information officers and chief security officers are more engaged in taking on the primary responsibility for security policies than in previous years.
Companies are also becoming more aware of their data lifecycle – where and how long their data is stored. Only a small number of organisations are moving their sensitive data into the cloud, for example.
Just 3% said sensitive information was stored offsite with a cloud supplier, up from 2% in 2012. The report said organisations are still testing cloud-based storage by using if for non-sensitive data.
The report concludes that, while many organisations are trending in the right direction, when it comes to managing and securing their data, significant gaps remain.
The lack of written information security policies and data encryption policies in many companies is a “critical red flag”, the report said.
Also, most organisations do not have a detailed data classification system, with varying retention policies and destruction dates.
“By addressing these gaps, organisations can enhance their data management capabilities substantially, increase the efficiency of the investment they make in information management, and improve protection for one of their most critical assets,” the report said.