santiago silver - Fotolia

A third of firms lack adequate data protection policies, survey finds

Protiviti survey shows that simple steps towards better cyber risk management, such as policy and process, still require attention for many companies

Despite an increased emphasis on cyber security, a third of firms still lack polices for information security, data encryption and data classification, a survey has revealed.

The Protiviti 2015 IT Security and Privacy Survey, which gathered insights from more than 700 executives and IT professionals, assesses security and privacy policies, data governance, data retention and storage, data destruction policies and third-party suppliers and access, among other topics that organisations need to manage and improve.

“Cyber security is not solely a technology problem,” said Ryan Rubin, a Protiviti managing director with the consulting firm’s global cyber security practice.

“The survey highlights that simple steps towards better risk management, such as policy and process, still require attention for many,” he said.

The survey also shows that in many companies, information security still comes under the IT department. “This may explain the lack of priority associated in addressing the softer side of security,” said Rubin.

 “It’s increasingly important to ‘set the tone from the top’ and define organisational rules and management expectations that will create sufficient awareness to all in the organisation. This will ensure risk appetite is adequately communicated to protect data, mitigate cyber risks and manage potential breaches,” he said.  

According to the survey report, setting the right tone from the top is as important as any policy and should include strong board engagement in information security and management establishing “best practice” policies.

The survey found only 28% of organisations indicated that there is currently a high level of engagement by the board, compared with 30% in the 2014 survey.

Nearly a third said there was medium engagement and level of understanding, 15% reported the level to be low, while 25% said they did not know the level of board engagement and understanding of information security risks relating to their business.

According to the survey report, a strong security foundation must include the right policies. Organisations that have all of their “core” information security policies in place – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities, the report said.

The survey shows that many companies lack critical policies and an understanding of what are the most important data assets. The majority have a less-than-excellent understanding of their most sensitive data and information and do not have strong awareness levels concerning potential exposures, the report said. According to Protiviti, such gaps open up the organisation to cyber attacks and significant security issues.

Despite these findings, the survey suggests that organisations are now beginning to better understand how to manage and protect sensitive data, such as private customer data, intellectual property, healthcare data and payment card industry information.  

The survey report notes there are not high levels of confidence in the ability to prevent an internal or external cyber attack. While two out of three organisations report being more focused on cyber security, most lack a high level of confidence that they can prevent a targeted cyber attack, either from external parties or insiders.

However, the report said this mindset is not necessarily a bad thing and may prove to be a healthy one if this perspective drives a focus on improvement.

Read more about risk management

Read more on IT risk management