Companies ‘unprepared against cyber threats’
Dubai, June 16, 2013
Despite broad recognition that cyber threats are more prevalent than ever before, more than one-third of companies are not adequately prepared to respond to a data breach or IT security crisis, a report said.
More than two-thirds (68 per cent) of respondents in the 2013 IT Security and Privacy Survey conducted by global consulting firm Protiviti said they have elevated their focus on information security in response to recent press coverage of so-called “cyber warfare.”
However, the number of companies that appear inadequately prepared for a crisis is surprisingly high. When asked if their organizations have a formal and documented crisis response plan for use following a data breach or hacking incident, more than 33 per cent reported that either their organizations did not (21 per cent) or they did not know (13 per cent).
“Cyber security must continue to be a major focus for businesses, especially in light of recent high-profile security breaches,” said Cal Slemp, managing director with Protiviti and global leader of the firm's IT security and privacy practice.
“While we’re seeing a greater number of companies across a wider range of industries devote more attention and resources to improving their approach to data security, there are still a lot of businesses that are susceptible to attacks.”
Data Policy and Retention/Storage Issues
According to the survey results, many companies lack key data policies and are ineffective at managing data through proper retention and storage practices, including the classification of sensitive data.
Approximately 22 per cent of companies do not have a written information security policy (WISP) and 32 per cent lack a data encryption policy. Not having these policies in place is an important consideration when a breach involves information covered by data privacy laws and can expose an organization to significant legal liability.
Companies also lack clarity on what constitutes data as sensitive, confidential or public, with only 63 per cent of respondents reporting that their organizations have a system for properly classifying data.
“The findings suggest many companies are either ineffective in securing the most important data or attempting to secure all data instead of focusing resources on data that presents the greatest risk, if exposed through a breach,” said Slemp.
However, he added that in a positive development, there was year-over-year growth in the percentage of companies putting into place detailed schemes and policies to classify their data, which is key to understanding and securing an organization’s most sensitive information.
CIOs Take a More Strategic Role
Another positive development is that, as data security continues to play a larger role in business operations and the use of so-called big data becomes more integrated with strategic business objectives, CIOs are seeing their responsibilities increase.
The survey showed that more CIOs are taking responsibility for data governance strategy, oversight and execution within their organizations. Additionally, companies with documented crisis plans enacted in response to a data breach or hacking incident have now begun to involve their CIOs far more than ever before.
In 2012, only 58 per cent reported that their CIO was involved in addressing such an incident compared to 72 per cent in 2013 (up 14 per cent).
“The role of the Chief Information Officer is becoming more prominent in organizations, in part, because of the importance of data, both in terms of advancing the business as well as managing risk,” said Slemp.
“The reality is that as data continues to evolve as a critically important asset, it must be managed differently, and more effectively than other assets.”
The second edition of Protiviti’s IT Security and Privacy Survey gathered insights from 194 information technology executives and professionals at companies with gross annual revenues ranging from less than $100 million to greater than $20 billion. The survey was conducted in the first and second quarters of 2013. Respondents included CIOs, CSOs, IT directors, managers and IT auditors. – TradeArabia News Service