We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
RSS FeedRisk

US executives fail to classify sensitive data

Data collection has advanced, but IT staff at a quarter of companies say there's 'limited or no understanding' of sensitivity.

Article comments

Today's executives are "less savvy when it comes to how to classify and manage [data]", according to new research in the US.

There is "limited or no understanding of the difference between sensitive information and other data" at nearly a quarter of the companies participating in a survey of about 100 IT executives and others conducted by global consulting firm Protiviti.

The US report, 'The current state of IT security and privacy policies and practises', assesses how organisations classify and manage the data they accumulate, and specifically how they ensure customer privacy when they handle sensitive data. The report also considers how companies comply with federal and state privacy laws and regulations.

"Our survey shows that many companies are holding onto more data than is prudent and for longer time frames than necessary, which poses significant data security and privacy risks," Kurt Underwood, Protiviti's managing director, and global head of IT consulting said in a statement.

He added that there were "opportunities for executives to significantly reduce legal exposures", while improving data management and securing savings.

In the survey, 23 percent of respondents said senior management appeared to have "limited or no understanding" of the difference between sensitive information and other data, while 26 percent believed senior managers had an "excellent" understanding of these differences.

Said Cal Slemp, Protiviti managing director, and head of IT security and privacy, said: "This basic understanding of what constitutes 'sensitive' is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle - from collection to destruction. Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks."

Interestingly, only 2 percent said their companies stored sensitive information in the cloud, suggesting that migration to cloud computing may be slower than is generally thought - at least in cases of sensitive-data storage. Seven of 10 respondents said their companies use on-site servers for sensitive storage.

The survey also found that 69 percent of companies in the study believe they have a clear data classification policy for categorising information as sensitive, but only 50 percent have specific plans for classification - "suggesting a possible gap in data management."

It also showed 86 percent of respondents have an "acceptable use" policy to control data leakage, with 81 percent have a record retention and destruction policy, and 75 percent have a written information security policy and 65 percent have a data encryption policy.

"Organisations with these kinds of data leakage policies in place considerably reduce their risk of substantial legal finance and reputation damage," according to Underwood.

Nearly three of every four companies in the survey said they had a crisis response plan in place for data-breach and hacking incidents. But 27 percent of the executives questioned either didn't have companies with such a policy, or didn't know if a policy existed.

The survey results were compiled in the 2011 in the fourth quarter and 2012 first quarter among CIOs, security officers, IT audit vice presidents, and others from companies in a variety of industry sectors. Nearly 70 percent were from companies with $1 billion or more in revenue.


Recommended Articles


US executives fail to classify sensitive data

Managing the costs of arbitration when a deal goes wrong

Managing the costs of arbitration when a deal goes wrong

CFOs should be involved in international deal negotiations from the startmore ..

Home Depot confirms breach

Home Depot on Monday confirmed that intruders broke into its payment networks and accessed credit and debit card data of an unspecified number of customers who shopped at its U.S. and Canadian stores.more ..

Home Depot breach could potentially be as big as Target's

In what could turn out to be another huge data breach, Home Depot on Tuesday confirmed that it is investigating a potential compromise of credit card and debit card data belonging to an unspecified number of customers.more ..

EU fines Samsung, Philips and others for smartcard cartel

The companies exchanged sensitive commercial information on pricing, customers and contract negotiations, the Commission saidmore ..

The making of a cybercrime industry

And they're employing tried and tested above-board business methodsmore ..

Is there a bulwark against the rising pound for UK exporters?

Currency volatility has prompted a surge in the use of hedging tacticsmore ..

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

In Depth
Can finance rise to the challenge of major transformation?

Can finance rise to the challenge of major transformation?

Outdated finance processes, systems and competencies leave too many questions unanswered more ..

In Depth
Interim CFO or consultant? The pros and cons

Interim CFO or consultant? The pros and cons

Ed Harding offers an insight into the life of an interim CFO and the advantages in driving transformation more ..


* *