MENLO PARK, Calif. – Mar. 6, 2012 – Companies have become highly proficient at collecting vast amounts of data, but many appear to be less savvy when it comes to how to classify and manage it, according to a new survey from Protiviti (www.protiviti.com), a global consulting firm. Among key findings, the survey showed that IT executives and managers at nearly a quarter of organizations who participated in the study believe senior management at their firms has limited or no understanding of the difference between sensitive information and other data.
For the report titled The Current State of IT Security and Privacy Policies and Practices (www.protiviti.com/ITsecuritysurvey
), more than 100 IT executives and professionals were asked to weigh in on how their organizations classify and manage the data they accumulate - specifically how they handle the security of sensitive data to ensure customer privacy as well as comply with federal and state privacy laws and regulations.
“Organizations have made significant strides over the past decade integrating enterprise applications and collecting terabytes of valuable customer, supplier and employee data,” said Kurt Underwood, managing director and global head of IT Consulting, Protiviti. “However, our survey shows that many companies are holding onto more data than is prudent and for longer time frames than necessary, which poses significant data security and privacy risks. There are opportunities for executives to significantly reduce legal exposures, while driving sensitive data management improvements and cost savings.”
Twenty-three percent of respondents said their senior management appears to have “limited or no understanding” of the difference between sensitive information and other data. Only 26 percent believe their senior management has an “excellent” understanding of these differences. “This basic understanding of what constitutes ‘sensitive’ is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle from collection to destruction,” said Cal Slemp, managing director and head of Protiviti’s IT Security and Privacy practice. “Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks. It is our view that data with different sensitivity needs to be treated differently from an information security perspective. In addition, knowing what to keep and what to purge also helps organizations avoid falling into a default process of saving ‘everything forever,’ which comes with its own costs and risks.”
Other findings include:
- While 69 percent of companies in the study report having a clear data classification policy to categorize information (sensitive, confidential, public, etc.), just 50 percent have a specific plan in place to perform the categorization, suggesting a possible gap in data management.
- A strong majority of companies surveyed are employing effective data leakage policies. Eighty-six percent have an acceptable use policy; 81 percent have a record retention/destruction policy; 75 percent have a written information security policy (WISP); and 65 percent have a data encryption policy. “Organizations with these kinds of data leakage policies in place considerably reduce their risk of substantial legal fines and reputation damage,” Underwood said. “While laws vary from state to state, most allow for leniency if the organization has two well-designed elements in place: data encryption and a WISP.”
- Nearly three out of four companies surveyed have a crisis response plan in place to respond to a data breach or hacking incident. However, 27 percent either don’t have or don’t know if they have such a policy. As demonstrated by the frequency of media reports of data breaches, a lack of a crisis response plan suggests companies are placing themselves at an unnecessary risk.
- Only two percent of organizations who participated in the study say their firms store sensitive information in the cloud, indicating that this migration may be moving more slowly than generally thought, at least in terms of storing sensitive data. Most survey respondents (71 percent) said their companies use on-site servers for this purpose.
For more detailed survey results or to obtain a complimentary copy of the full report titled The Current State of IT Security and Privacy Policies and Practices
, visit: www.protiviti.com/ITsecuritysurvey
Additionally, Protiviti has produced a podcast that offers Managing Director Cal Slemp’s analysis and commentary on the findings in the survey. Please visit www.protiviti.com/podcasts
to listen or download the podcast.
Methodology and Demographics
Protiviti conducted The Current State of IT Security and Privacy Policies and Practices Survey via an online questionnaire in the fourth quarter of 2011 and the first quarter of 2012. Hailing from virtually every industry sector, survey respondents included chief information officers; chief information security officers, chief security officers; IT audit vice presidents, directors and managers; and IT vice presidents, directors and managers. More than half of the participants work for publicly traded companies; the others come from private, government and nonprofit organizations. Nearly 70 percent of respondents work for organizations with $1 billion or more in revenues.
About Protiviti Inc.
) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE® 1000 and Global 500 companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
Editor’s note: Infographic of selected survey results available in PDF or JPEG formats.