Despite increasing concerns from customers and government regulators over data security and breach management, it appears that many have not taken the steps necessary to protect mission critical data. According to the 2014 IT Security and Privacy Study performed by Protiviti, which received data from 340 public and privately held companies, it was found, among other issues, that many companies have failed to implement core security policies, lack a crisis response plan and often times have not updated their incident response plan. Each of these elements is critical to a comprehensive and effective data protection plan. To help clients, prospects and others understand the state of data security; Holtzman Partners has provided a list of the study’s key findings below.
Key Findings Include:
- Lack of Confidence to Prevent Attack – The most interesting information to come from this study is the lack of confidence respondents expressed in the organization’s ability to prevent a breach or attack. Using a rating scale of 1-10 with 10 representing the most confidence, companies rated themselves as follows: a rating of 7.2 was given by companies that have all core security policies compared to a 6.3 rating given by companies lacking some or all core security policies.
- Written Policies & Procedures– It appears that most of the companies in the study have some of the necessary policies in place for effective data management. According to the study, 76% of companies have an acceptable use policy, 76% have a record destruction policy, 66% have a written information security policy and only 59% have a data encryption policy. The most concerning aspect of the study is the high number of companies without written information security and data encryption policies. These are the two policies identified as critical in almost all state laws and give regulators insight into how seriously a company is taking data protection.
- Additional Security Policies – In addition to the core security policies listed above, companies were also asked about additional security policies meant to prevent a data attack. 59% reported having a network device security policy, 53% reported having a data classification policy, 49% reported having a third party access control policy and 46% reported having an incident response policy. The results indicate that many companies are not compliant with regulations and are therefore exposed to significant risks and liabilities.
- Board of Directors Engagement & Involvement – A key trend that was uncovered in the study is the importance of the Board of Directors’ engagement, understanding of the organization’s data security issues, and engagement in solution implementation. According to the study, 78% of companies that reported having implemented core security policies categorized the Board of Directors’ involvement as being a high- to medium-level.
- Crisis Response Plan –According to the study results, just over half of the companies that participated have a crisis response plan to guide actions should a breach occur. Findings noted that 56% responded “yes” (a 10% decline over 2013), 34% responded “no”, and 10% indicated they were “unsure if existing policies are sufficient”. It is deeply concerning that 44% of companies researched did not have, or are unsure if they have documented policies in place to manage a data breach. As the complexity and depth of data attacks continue, it’s essential for companies to implement a plan to ensure key employees know what to do if the unthinkable happens.
- Incident Response Plan Update – It appears that almost half of the companies participating in the study have updated their incident response plan within the last year. According to results, 46% of companies have updated their plan in the last year, 22% within the last two years, 9% within the last five years, 4% more than five years ago and 19% have not updated their incident response plan since its development.