Companies Not Protecting Growing Data Assets, Survey Says

There are plenty of companies guilty of not applying data security best practices, according to the “2014 IT Security and Privacy Survey,” from Protiviti.

1 October 2014


Is your company one of those not applying best practices to securing and protecting their data?

If so, there are plenty of other companies guilty of such lapses, according to the “2014 IT Security and Privacy Survey,” from Protiviti, a consultancy firm. Here we are in the second decade or so after the rise of the Web-universe, and most firms haven’t addressed that most basic item: data security through the entire content lifecycle.

This is the third such Protiviti survey, and this version makes it clear that while there has been progress in securing corporate networks, frequently, basic gaps remain. “Many organizations still fall short of important standard protocols for IT security and privacy," states Cal Slemp, Protiviti’s managing director, in a press release. "Companies need to take more action in relation to the risks they recognize to better protect their crucial data."

Companies Need Stronger Data Protocols and Governance

There were some sobering findings from the respondents (among whom were 340 chief information officers, chief security officers, IT directors, managers, and auditors). Protiviti gathered some particularly troubling data management statistics:

  • One in three companies lacked a written information security policy (WISP)
  • More than 40 percent lacked a data encryption policy
  • Twenty five-percent don’t have acceptable use or record retention-destruction policies
  • The number of firms retaining all their data and records has doubled — this increases risk if the companies don’t know how to properly manage the information
  • Many firms don’t apply classification schema to data for future processing and governance
  • Even fewer companies are prioritizing highly regulated information, such as payment cards and healthcare-data

Perhaps it’s not surprising that Protiviti learned that organizations, overall, don’t have “high confidence” they can fend off a cyber-attack or prevent a data breach.

Gloomy Security Landscape

The bad news didn’t end there. The survey indicates too many companies aren’t preparing to defend themselves. In fact, there was a jump from last year in the number of firms lacking a formal response plan to a data breach or cyber-attack crisis.

And no firm should be without one. Indeed, every month it seems another company joins the data breach of the month club. This past month, it was Home Depot; before that it was Target; the list stretches on.

Security Problems Become Public Problems

On the bright side, more CIOs and CSOs are taking on the primary responsibility for security policies, according to previous Protiviti surveys. This is encouraging — because proper security and data management require leadership.

And until IT managers, CIOs, and other corporate leaders realize they must provide the impetus to succeed, chances are, a company’s data security vulnerability will just continue.