In an era when cyber security threats are more common than ever, organizations continue to struggle to manage data securely, prepare for potential crisis scenarios, and defend against hacking and other cyber threats, according to the 2014 IT Security and Privacy Survey conducted by Protiviti.
The survey results tell a story of gaps between where companies currently stand and where they should be in relation to fundamental elements of IT security.
Some progress has been made since Protiviti's last survey, yet many organizations still fall short of important standard protocols for IT security and privacy,” said Cal Slemp, managing director with Protiviti. “Companies need to take more action in relation to the risks they recognize to better protect their crucial data.”
While executive management has a higher level of awareness when it comes to the organization’s information security exposures, lower confidence levels among IT executives and professionals in preventing an attack or breach likely speak to the creativity of cyber-attackers and the inevitability of a breach – and the need for strong incident response planning and execution.
The survey also revealed a significant year-over-year jump in the number of organizations without a formal and documented crisis response plan to execute in the event of a data breach or cyber attack.
Nearly three out of four boards have a good level of understanding about the organization’s information security risks, according to survey results.
Organizations whose boards are concerned with how the organization is addressing its risks, have significantly stronger IT security profiles.
On the other hand, one in five boards appears to have a low level of engagement in how the company is addressing information security risks.
“With greater market sensitivity to information security issues as well as a rise in associated legal requirements, we would expect board interest to be even higher in most organizations,” said Slemp.
The study also shows that one in three companies does not have a written information security policy (WISP). More than 40 percent lack a data encryption policy. One in four do not have acceptable use or record retention/destruction policies.
These are critical gaps in data governance and management, and they carry considerable legal implications.
The percentage of organizations that retain all data and records has more than doubled – not necessarily a positive development. In addition, a relatively large number of organizations do not prioritize data that is processed and governed with a data classification schema.
Even fewer companies appear to prioritize data that is highly regulated, including PCI (payment card industry) and healthcare-related information.