With cyber attacks and data breaches routinely making media headlines, conventional wisdom suggests companies would be making IT security and data privacy a top priority.
But the results of Protiviti’s 2014 IT Security and Privacy Survey indicate many organizations still have done little to safeguard against such potential crises. And worse, they are ill-prepared to mitigate them if they should strike.
Perhaps, most glaring – and difficult to explain – is the lack of corporate initiative with regard to written information security policies (WISPs) and data encryption policies. More than one-third of survey respondents said they do not have a WISP in place, and 41 percent lacked a data encryption policy.
Such findings are startling, considering that 46 of 50 states have data privacy laws that impose significant penalties on organizations that expose confidential data. Every privacy-related law holds accountable the company in possession of private data if that information is breached. Just as important, nearly all of these laws allow for leniency if the targeted organization has a WISP and data encryption policy. There is no way to sugarcoat it. With the opportunity to minimize legal liability, it is imperative for companies to adopt these policies.
Beyond highlighting such deficiencies, our survey provides insights into key factors that help organizations establish and maintain a robust IT security and privacy profile. Conducted in the second quarter of this year, the survey incorporates responses from more than 340 CIOs, chief information security officers, and other IT executives and management-level professionals.
The common denominator among entities with strong cybersecurity profiles is an engaged board of directors that is cognizant of security and privacy issues. According to our survey, 78 percent of organizations with boards demonstrating a high or medium level of engagement and understanding of security risks had all “core” information security policies in place. It is important to note that involvement doesn’t mean boards must be aware of every security practice detail. However, boards that set a strong “tone at the top” will drive their organizations to plan and implement more robust cybersecurity measures.
Our survey’s findings repeatedly show striking differences in security performance between companies with strong board engagement in information security and those without it.
For example, with data volume growing almost exponentially, it is paramount for companies to stratify their data based on importance and apply appropriate retention and destruction dates to each type, according to regulatory and legal requirements or industry standards. Here again, there is a clear divide between companies with regard to this pressing challenge: 87 percent of companies with boards that are highly engaged in information security have a clear data classification policy, compared with 64 percent for those lacking board engagement.
Likewise, although all companies can fall victim to hackers, it is interesting that those with a board that is more engaged in information security likely will recover more quickly after an attack: 77 percent of these companies have a formal and documented crisis response plan that would be executed in such an event. By comparison, only 47 percent of companies without high board engagement in information security are similarly prepared.
The obvious question is, why is high board engagement in information security such a differentiator? In our experience, operational teams in these organizations are compelled to tackle IT security issues earnestly as a result of oversight and direct questions from board members. Furthermore, they likely are producing meaningful metrics and communicating effectively with the board, which in turn may authorize management to make greater investments in security measures.
The clear takeaway here is that a board that is highly engaged in information security often leads to a security-conscious environment that fosters a true understanding of an organization’s capabilities – and, just as importantly, its limitations.