We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
RSS FeedRisk

US executives fail to classify sensitive data

Data collection has advanced, but IT staff at a quarter of companies say there's 'limited or no understanding' of sensitivity.

Article comments

Today's executives are "less savvy when it comes to how to classify and manage [data]", according to new research in the US.

There is "limited or no understanding of the difference between sensitive information and other data" at nearly a quarter of the companies participating in a survey of about 100 IT executives and others conducted by global consulting firm Protiviti.

The US report, 'The current state of IT security and privacy policies and practises', assesses how organisations classify and manage the data they accumulate, and specifically how they ensure customer privacy when they handle sensitive data. The report also considers how companies comply with federal and state privacy laws and regulations.

"Our survey shows that many companies are holding onto more data than is prudent and for longer time frames than necessary, which poses significant data security and privacy risks," Kurt Underwood, Protiviti's managing director, and global head of IT consulting said in a statement.

He added that there were "opportunities for executives to significantly reduce legal exposures", while improving data management and securing savings.

In the survey, 23 percent of respondents said senior management appeared to have "limited or no understanding" of the difference between sensitive information and other data, while 26 percent believed senior managers had an "excellent" understanding of these differences.

Said Cal Slemp, Protiviti managing director, and head of IT security and privacy, said: "This basic understanding of what constitutes 'sensitive' is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle - from collection to destruction. Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks."

Interestingly, only 2 percent said their companies stored sensitive information in the cloud, suggesting that migration to cloud computing may be slower than is generally thought - at least in cases of sensitive-data storage. Seven of 10 respondents said their companies use on-site servers for sensitive storage.

The survey also found that 69 percent of companies in the study believe they have a clear data classification policy for categorising information as sensitive, but only 50 percent have specific plans for classification - "suggesting a possible gap in data management."

It also showed 86 percent of respondents have an "acceptable use" policy to control data leakage, with 81 percent have a record retention and destruction policy, and 75 percent have a written information security policy and 65 percent have a data encryption policy.

"Organisations with these kinds of data leakage policies in place considerably reduce their risk of substantial legal finance and reputation damage," according to Underwood.

Nearly three of every four companies in the survey said they had a crisis response plan in place for data-breach and hacking incidents. But 27 percent of the executives questioned either didn't have companies with such a policy, or didn't know if a policy existed.

The survey results were compiled in the 2011 in the fourth quarter and 2012 first quarter among CIOs, security officers, IT audit vice presidents, and others from companies in a variety of industry sectors. Nearly 70 percent were from companies with $1 billion or more in revenue.



US executives fail to classify sensitive data

Energy risk: How data is eating up all the energy

Energy risk: How data is eating up all the energy

Any failure in energy supplies to data servers can result in severe consequencesmore ..

EMEA corporate upgrades outnumber downgrades, says Moody’s

Rating agency notes first such instance since the financial crisis yearsmore ..

World hit by record wave of 'mega' data breaches in 2013

Over half a billion records compromisedmore ..

CFOs bullish on UK growth prospects

Finance chiefs' appetite for risk has doubled that of a year agomore ..

Why BYOD needs to be on every CFO’s agenda

The Software Alliance explains why BYOD can be a legal nightmare for businessesmore ..

Audits key to managing cyber risks

Cybersecurity controls and reporting procedures should be assessed annuallymore ..

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

In Depth
How M&A teams can create value by challenging the CEO

How M&A teams can create value by challenging the CEO

A typical “hold” period of nine to 18 months can generate increased sale value more ..

In Depth
What every company needs to do about big data?

What every company needs to do about big data?

In the first of a three part series, Pat Brans explores just how big 'big data' will get? more ..


* *