US executives fail to classify sensitive data
Data collection has advanced, but IT staff at a quarter of companies say there's 'limited or no understanding' of sensitivity.
By Roy Harris | CFO World | Published 18:00, 12 March 12
Today's executives are "less savvy when it comes to how to classify and manage [data]", according to new research in the US.
There is "limited or no understanding of the difference between sensitive information and other data" at nearly a quarter of the companies participating in a survey of about 100 IT executives and others conducted by global consulting firm Protiviti.
The US report, 'The current state of IT security and privacy policies and practises', assesses how organisations classify and manage the data they accumulate, and specifically how they ensure customer privacy when they handle sensitive data. The report also considers how companies comply with federal and state privacy laws and regulations.
"Our survey shows that many companies are holding onto more data than is prudent and for longer time frames than necessary, which poses significant data security and privacy risks," Kurt Underwood, Protiviti's managing director, and global head of IT consulting said in a statement.
He added that there were "opportunities for executives to significantly reduce legal exposures", while improving data management and securing savings.
In the survey, 23 percent of respondents said senior management appeared to have "limited or no understanding" of the difference between sensitive information and other data, while 26 percent believed senior managers had an "excellent" understanding of these differences.
Said Cal Slemp, Protiviti managing director, and head of IT security and privacy, said: "This basic understanding of what constitutes 'sensitive' is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle - from collection to destruction. Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks."
Interestingly, only 2 percent said their companies stored sensitive information in the cloud, suggesting that migration to cloud computing may be slower than is generally thought - at least in cases of sensitive-data storage. Seven of 10 respondents said their companies use on-site servers for sensitive storage.
The survey also found that 69 percent of companies in the study believe they have a clear data classification policy for categorising information as sensitive, but only 50 percent have specific plans for classification - "suggesting a possible gap in data management."
It also showed 86 percent of respondents have an "acceptable use" policy to control data leakage, with 81 percent have a record retention and destruction policy, and 75 percent have a written information security policy and 65 percent have a data encryption policy.
"Organisations with these kinds of data leakage policies in place considerably reduce their risk of substantial legal finance and reputation damage," according to Underwood.
Nearly three of every four companies in the survey said they had a crisis response plan in place for data-breach and hacking incidents. But 27 percent of the executives questioned either didn't have companies with such a policy, or didn't know if a policy existed.
The survey results were compiled in the 2011 in the fourth quarter and 2012 first quarter among CIOs, security officers, IT audit vice presidents, and others from companies in a variety of industry sectors. Nearly 70 percent were from companies with $1 billion or more in revenue.
Share:Facebook Twitter Google Plus Stumble Upon Reddit Share This Email this article
Any failure in energy supplies to data servers can result in severe consequencesmore ..
Rating agency notes first such instance since the financial crisis yearsmore ..
Over half a billion records compromisedmore ..
Finance chiefs' appetite for risk has doubled that of a year agomore ..
The Software Alliance explains why BYOD can be a legal nightmare for businessesmore ..
Cybersecurity controls and reporting procedures should be assessed annuallymore ..