Businesses are still failing on the basic requirements for information security such as visibility of their data assets, says security firm Websense.
This first-hand experience with UK organisations is supported by recent global research by the Ponemon Institute commissioned by Websense.
More than a third of information security professionals who said their organisations had been hit by a security breach admitted they had no idea what data had been stolen, the study showed.
“This means in many organisations even basic security functions are being missed,” said Neil Thacker, information security and strategy officer for Europe at Websense.
“The coming European data protection legislation will require mandatory breach notification, but that will be a challenge for organisations that lack visibility of their data assets,” he told Computer Weekly.
Proper visibility of data assets will be essential when organisations are called upon to report data breaches and assess their impact.
More on data security
Thacker said these organisations are running out of time to ensure they know what is going on in their IT infrastructure and they have a fast and efficient way of assessing the impact of data breaches.
“All businesses in Europe should ensure they have established data discovery and classification processes in place by the time the new legislation is enacted,” he said.
Another priority should be assigning ownership and responsibility for all data assets to business leaders in information security by making them accountable for specific data sets.
“Discovery, classification and accountability are the basic requirements for information security, and yet they are still being missed,” said Thacker.
In addition to meeting regulatory requirements, he believes greater visibility is important to building better, more collaborative relationships between IT security teams and business leaders.
“Business leaders – including the board of directors – are most interested in what impact any data breaches will have on the business,” explained Thacker.
“It is therefore essential for security pros to know exactly what is going on, and to be able to tell the business what the impact is likely to be,” he said.
He also thinks it is important for IT security professionals to analyse every data breach and its impact on the business, then use that to identify gaps in security and report it to business managers.
More due diligence is needed to ensure the correct products are acquired to meet the specific security needs of the organisation
Neil Thacker, Websense
“The coming European data protection laws will help encourage organisations to get better at documenting breaches and applying what they learn,” he said.
The research also revealed that 47% of information security professionals polled were frequently disappointed with the level of protection their security systems provided.
“Organisations that are not seeing a good return on investment should be looking for ways of maximising the benefit of the systems they have,” said Thacker.
He also said businesses should be analysing the reasons for failing to achieve the expected returns and look for ways of avoiding the same mistakes in future.
For example, organisations should consider whether original requirements were flawed – or have changed – and whether suppliers are making unrealistic claims about the capabilities of their products.
“More due diligence is needed to ensure the correct products are acquired to meet the specific security needs of the organisation and products under consideration can do what their makers claim,” said Thacker.
He challenged other security suppliers to follow Websense in providing pro bono consultancy services to clients to ensure investments in security technologies meet the requirements of the business.