One in Three Companies Lacks Policies for Information Security, Data Encryption and Classification, According to Protiviti’s 2015 IT Security and Privacy Survey
Despite priority placed on cybersecurity, companies still have significant room to improve existing practices
MENLO PARK, Calif. – September 30, 2015 – At a time when cybersecurity breaches are becoming more frequent and significant, organizations are continuing to place a high priority on improving their cybersecurity frameworks. However, despite improvement in many areas, one in three companies still lacks policies for its information security, data encryption and data classification, according to The Battle Continues – Working to Bridge the Data Security Chasm: Assessing the Results of Protiviti 2015 IT Security and Privacy Survey (www.protiviti.com/ITsecuritysurvey) from global consulting firm Protiviti.
“It’s no stretch to state that the spectrum and sophistication of cyber attacks and the diversification of their origin will continue to increase,” said Cal Slemp, a Protiviti managing director with the firm’s global cybersecurity practice. “Companies appear intent on addressing data security issues, but are these intentions translating into effective policies and actions to secure organizations’ most valuable data? The results are mixed, at best, according to our 2015 survey. It’s increasingly important for organizations to avoid complacency and consistently enhance their infrastructure, data frameworks and response plans to protect, mitigate and manage potential breaches.”
The IT security and privacy survey, which gathered insights from 708 Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT vice presidents and directors and other IT management professionals, assesses security and privacy policies, data governance, data retention and storage, data destruction policies and third-party vendors and access, among other topics that organizations need to manage and improve. Protiviti’s report also includes recommended actions for IT leaders as well as trends to watch. Key findings from the 2015 survey include:
- “Tone from the top” is a critical differentiator – From strong Board engagement in information security to management establishing “best practice” policies, effective security starts with the right tone from the top, which is as important as any policy. Only 28 percent of organizations indicated that there is currently a high level of engagement by the Board (compared to 30 percent in the 2014 survey):
How engaged is your Board of Directors with information security risks relating to your business?
|High engagement and level of understanding by the Board||28%||30%|
|Medium engagement and level of understanding by the Board||32%||41%|
|Low engagement and level of understanding by the Board||15%||20%|
- A strong security foundation must include the right policies – Organizations that have all of their “core” information security policies in place – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities.
- Many companies lack critical policies and an understanding of their “crown jewels” – Most have a less-than-excellent understanding of their most sensitive data and information (71 percent) and do not have strong awareness levels concerning potential exposures. Such gaps open up the organization to cyber attacks and significant security issues. Despite these findings, the survey suggests that organizations are now beginning to better understand how to manage and protect sensitive data such as private customer data (80 percent), intellectual property (63 percent), health care data (51 percent) and payment card industry information (47 percent).
- There aren’t high levels of confidence in the ability to prevent an internal or external cyber attack – While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they can prevent a targeted cyber attack, either from external parties or insiders. However, this mindset is not necessarily a bad thing – in fact, it may be a healthy one if the perspective drives a focus on improvement.
About the Survey
The fourth edition of Protiviti’s IT Security and Privacy Survey was conducted in the third quarter of 2015. Forty-eight percent of respondents work for organizations with $1 billion or more in revenue and 40 percent of respondents’ companies are public. The majority of respondents’ companies are located in North America.
Survey Resources Available: Report, Webinar, Infographic, Video and Podcast
A complimentary survey report is available for download at: www.protiviti.com/ITsecuritysurvey.
A 60-minute webinar with two of Protiviti’s cybersecurity managing directors, Cal Slemp and Scott Laliberte, discussing implications of the survey results will be held on October 27 at 10:00 a.m. PDT. To register for the complimentary webinar, please visit http://www.protiviti.com/webinars.
An infographic and video summarizing the survey results are also available at www.protiviti.com/ITsecuritysurvey. Additionally, a podcast with Slemp discussing the survey results is available atwww.protiviti.com/podcasts.
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.
Named to the 2015 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.