Many Organizations Remain Ill-equipped to Prevent or Respond to Data Breaches

Protiviti’s annual IT security and privacy survey of U.S.-based organizations finds many have heightened data security and legal liability risks.

ALBERT HOLZINGER
FREELANCE WRITER
 
Originally printed in the June 26, 2013, CAE Bulletin
 

Two-thirds of the nearly 200 U.S.-based chief information officers (CIOs) and other technology professionals who participated in Protiviti’s 2013 IT security and privacy survey say they are focusing more these days on keeping the information their organization collects and maintains safe and confidential. But other survey findings suggest many respondent organizations — which vary widely in type, size, and industry category — remain somewhat ill equipped to prevent or respond to internal and external threats to their data. “As much as everyone is aware of what’s going on, and the ramification and impact of what’s going on, so many companies are unprepared,” Rocco Grillo, a Protiviti managing director, recently lamented to The Wall Street Journal.

The survey report (PDF) notes that laws in 46 of 50 U.S. states impose substantial penalties on organizations that fail to keep customer and other data secure and confidential. Most of these statutes, the report says, allow for leniency if an organization has written information security and data encryption policies in place when it is breached. “Given this, it makes little sense for an organization to forego putting into place such policies, which will better secure their data and reduce their legal liability significantly,” the 20-page report observes. However, a substantial one third (32 percent) of respondent organizations still lack an encryption policy and about one fourth (22 percent) have no broad information security policy. Some respondent organizations — 14 percent and 13 percent, respectively — also lack record retention/destruction and acceptable data use policies.

Moreover, 21 percent of respondent organizations — inexplicably up from just 12 percent a year ago — do not have a formal, documented crisis response plan on the shelf awaiting activation in the event of a data breach or other hacking incident. The report says this says this is the survey’s “most intriguing, or even puzzling,” finding.

In contrast, the report says it is encouraging that most respondent organizations do have in force one or more of an array of technical policies that historically have proved effective in preventing, or at least minimizing, data leakage. Among the most widely adopted of these employee and other user guidance, in rank order, are a:

  • Strong password policy or standard, 87 percent.
  • Workstation/laptop security policy, 73 percent.
  • User access policy, 72 percent.
  • Network/network device security policy, 70 percent.
  • Third-party access control policy, 64 percent.
  • Removable media policy, 49 percent.

The report also says it is positive that increasing numbers of respondent organizations have implemented some nature of data classification scheme (63 percent versus 50 percent a year ago) and a data handling related policy (72 percent versus 69 percent). Less positive, the document says, is the finding that just 19 percent or respondents — down from 29 percent in 2012 — report that their organization’s system includes retention policies/destruction dates that vary by data classification. And just 21 percent of respondents rate their IT function’s support of the data acquisition/retention/ destruction process as excellent.

Perhaps more worrisome, just 30 percent of respondents believe those in the C-suite know and understand their organization’s data retention and destruction policy and process very well. A still lower 23 percent perceive all levels of managers do an excellent job of communicating the differences between public and sensitive data, and the appropriate treatment of each, to rank-and-file employees. The report says every organization should have an excellent understanding of the appropriate handling of sensitive data and a strong communications initiative to facilitate it. To this end, the document observes, “most organizations can benefit from better training and awareness with regard to what constitutes confidential data, where that data is housed, and how it is supposed to be accessed and handled.”

Not surprisingly, the CIO is the senior executive who creates and oversees the data governance policies and procedures of a plurality (38 percent) of respondent organizations, followed by the chief security officer (16 percent), chief privacy officer (4 percent), and chief financial officer (2 percent). In 12 percent of respondent organizations, individual department leaders are charged with these responsibilities. “The role of the CIO is becoming more prominent in organizations, in part, because of the importance of data, both in terms of advancing the business as well as managing risk,” Cal Slemp, another Protiviti managing director, says in a press release. “The reality is that as data continues to evolve as a critically important asset, it must be managed differently, and more effectively than other assets.”

The report also explores the use of some emerging technologies. For example, contrary to conventional wisdom, just 3 percent of respondent organizations now entrust their sensitive data to a cloud computing vendor, though a significantly larger 21 percent use their own off-site servers for storage and access purposes. A majority of respondent organizations (57 percent) continue to retain sensitive data in their onsite data centers. “Our experience indicates that organizations are still testing [the security of offsite storage] by leveraging cloud-based storage for nonsensitive information,” the report says. “Once their confidence in the security of this storage capability is sufficient, the number of organizations using cloud-based vendors for storing sensitive data will likely rise.”

So-called big data is an emerging technology respondent organizations have, in fact, begun widely adopting. Specifically, an overwhelming majority of respondents report that their organization is using large databases for business-intelligence purposes significantly more (20 percent) or somewhat more (46 percent) now than it did two years ago. A majority of the information (54 percent) currently in those databases was obtained from various sources within the organization or from third parties.

Albert Holzinger is a freelance writer based in Savannah, Ga.