A new survey has revealed a chronic lack of confidence among businesses about their data protection
A new survey from data-governance software provider Varonis has revealed a worrying lack of confidence among businesses about their data protection capabilities.
Seventy percent of organisations storing third-party data are not “very confident” that the sensitive data stored within their organisation is protected, the survey found.
With 80 percent of organisations surveyed storing sensitive information from customers, clients, vendors and business partners, more than half were only “fairly confident” that it is protected. Nearly one-fifth were “not confident at all” that sensitive data is protected, and 5 percent were “unsure.”
This means that the majority of organisations in this study are failing to comply with Sarbanes-Oxley, the United Kingdom Data Protection Act of 1988 and the EU Data Directive on Privacy (which may result in organisations being subject to 2 percent fines of global revenue), the report noted.
“It means that these organisations would have some serious questions to answer should they suffer a breach. In fact, regulators such as the SEC, ICO and EU would likely deem that they had failed in their obligation to provide appropriate security protection to prevent sensitive data breaches and impose a hefty financial penalty,” he said. “It’s really not rocket science; if you’ve got sensitive data and you’re not very confident that it’s adequately protected, you need to take action.”
When looking at the difference between organisations, of those who claimed to be very confident that their data was protected, 60 percent were very confident that they know where their sensitive data is stored. More than 40 percent monitor all actual access activity and assign owners to all folders and intranet sites. Additionally, 65 percent review and revoke permissions; 45 percent do so regularly, not just when someone leaves the organisation.
Those who are not confident that the data within their organisations is protected do not know where their data is stored (10 percent), do not monitor all data access (0 percent), do not have owners assigned for all data (3 percent), and less regularly review and revoke access.
One interesting statistic was the confidence level of IT security personnel; their responses fell more into either extreme, with a higher percentage saying they are either very confident (33 percent) or not confident at all (26 percent).
The gaps between the very confident and the other confidence levels were wider than for non-security personnel, especially in access-activity monitoring, and knowing where third-party data resides. The gaps between the fairly confident and the not confident at all were narrower for security personnel than non-security personnel.
“The good news is that most respondents report that their organisations have at least partially implemented fundamental processes and controls for data protection, and there is a clear blueprint for how organisations can increase their data protection maturity,” the report concluded. “The fairly confident report [that they] have all of the fundamental processes and controls in place for at least some of their data. They now need to expand their practice and use to move into the realm of the very confident.”
How well do you know Internet security? Try our quiz and find out!