This article is part of our Essential Guide: Essential guide to the EU General Data Protection Regulation (GDPR)

IT decision makers admit they need to do more to protect data

More than a quarter of IT decision makers at UK organisations admit they need to do more to protect data, a survey reveals

Most IT leaders recognise the importance of data protection – but more than a quarter of IT decision makers (ITDMs) at UK firms admit they could do more to protect corporate data.

Almost 90% of CIOs/CISOs, 80% of ITDMs and 74% of knowledge workers said their ability to protect corporate and customer data is vital or very important to their company’s brand and reputation, according to a survey commissioned by security firm Code42.

However, 28% of ITDMs said they do not do enough, or are not sure that they do enough to protect corporate data, the 2016 Datastrophe Study found.

This will be of great concern to knowledge workers, at least a third of whom believe the business they work for may be at risk of a data breach that could go public in the next year.

The study also found that respondents believe that as much as 45% of all their corporate data is held on endpoint devices.

The serious implications and risks of this are understood at the top of the IT organisation – with 88% of CIOs/CISOs and 83% of ITDMs stating that losing this data would be seriously disruptive or even business destroying.

Awareness of data risk is also felt on the shop floor, with 47% of knowledge workers agreeing that the risks of corporate data loss would pose a threat to business continuity.

Yet, despite this understanding, 30% of ITDMs admit that they do not have, or do not know if they have, an endpoint data protection (backup) strategy.

“The study shows that more needs to be done to protect the enterprise,” said Phil Cracknell, founding member at ClubCISO.

“CISOs need to stop being the custodians of security and start taking the position of service providers and consultants to the business,” he said.

Compliance concerns

Cracknell believes that, while decisions around IT projects should be driven by the business, lines of business managers should be working closely with their CISOs to ensure projects measure up to the rigours of modern enterprise security.

“It's no longer enough for the general IT team to give advice – often based on what they 'can' or want to provide – on information and data security,” he said.

According to the study, uncertainty around data protection strategies is no longer an option, especially in the face of rapidly changing data protection policy landscape.

Nearly 70% of ITDMs suggest that the upcoming General Data Protection Regulation (GDPR) will affect the way they purchase and/or provision data protection and security tools/solutions, with 76% saying they will be putting in additional security measures in place.

Yet, 18% are waiting for everything to be finalised before making changes. This will not be welcome news to at least a quarter of knowledge workers, who say they do not trust their IT teams or companies with their personal data.

“It is Quocirca’s belief that organisations have to put in place adequate measures to ensure a higher degree of data protection and security,” said Clive Longbottom, founder and analyst at Quocirca.

“Endpoint data management is a necessity along with data loss prevention (DLP) software and data encryption. Data should be centralised wherever possible and tracked and controlled through Digital rights management (DRM) systems whenever it leaves the control of that central point.

“Mobile devices should be virtualised and sandboxed to prevent movement of data from the corporate space to the public one. Attempting to rely on the knowledge and goodwill of a changing workforce is not enough—the right tools have to be put in place.”

Mobility presses need for change

The study said it is now the time for change, which it says is starting to happen – with 69% ITDMs saying they should be doing their best to provision data security that matches user expectations and working patterns, while 54% of knowledge workers and 38% of ITDMs believe there should be more investment into endpoint data protection in their organisations.

“Today, in large part due to the onset of flexible working and increased mobility of knowledge workers, the majority of the data we carry is at the endpoint,” said Rick Orloff, CSO at Code42.

“This new found mobility of data, combined with a rapidly evolving threat landscape is causing enterprise IT security – which traditionally relied on locking data away safely in the datacentre – to go through a dramatic transformation.

“IT and information security teams need to find powerful new solutions that will keep data safe—wherever it might be. The time for change in the enterprise is now—from the C-suite to the knowledge worker.” 

Read more on Privacy and data protection