The majority of businesses don't have a solid system for tracking sensitive data, or a mature patch management process, according to new survey of IT professionals released by Trustwave.
In 19 percent of companies there was no control or tracking of sensitive data at all, said respondents to the 2014 State of Risk survey, which was conducted by a third-party on behalf of the Chicago-based security firm. And 63 percent said their process for managing this data was not fully mature.
"That is a very scary statistic," said Phil Smith, Trustwave's SVP for government solutions and special investigations.
"If you don't know where your data is -- your sensitive data, your critical data, data that you use to operate your business -- then how can you protect it?"
The data on patch management was almost as bad.
Some 12 percent of companies have no patch management process in place at all, and the process is not fully mature at 58 percent of companies.
What this means is that patching is done on an inconsistent or ad-hoc matter.
"This should be done on a regular and routine basis," Smith said. "And it's not happening."
As a result, critical patches can slip through the cracks, leaving the company open to external or internal threats.
"Over and over again we see that that's how hackers are getting a foothold into a network," he said. "This is low-hanging fruit. That's what we see as exploitations occur from known vulnerabilities that can be easily fixed through patching."
The report was based on answers from people well-placed to know how well their companies were doing -- nearly 500 technology managers, network or system administrators, CIOs, and CTOs from the United States and fifty other countries.
In other results, 50 percent of businesses run vulnerability scans on internal systems less than once per quarter, and 60 percent run them less than once per quarter on critical systems hosted with third parties. Meanwhile, 18 percent never run penetration tests at all.
What was surprising to Smith was the level of involvement by senior executives in corporate security issues. At 9 percent of companies, there was no involvement at all, and at 45 percent there was board or senior management involvement only to a limited degree.
"We've seen an uptick over the years, with more board management being involved, but we're not there yet," Smith said. "The boards and executive teams need to be engaged."
One suggestion he offered is for companies to hold incident response readiness exercises that involve a broad range of company functions.
According to the report, 36 percent of companies test their incident response procedures annually, 18 percent test them twice a year, and 25 percent do it quarterly.
That allows companies to ensure that people know what they're expected to do in case of a crisis, and identifies problems early.
"If you can do it through an exercise, then it's only an awkward situation and something they can address when its not so critical," Smith said. "When we get executives, lawyers, and IT professionals together, the dialogue that starts to happen is very interesting."
For example, the first time a company runs one of these tests, he said, what usually happens is that the IT participants are constantly called away from their work responding to the problem in order to update the other executives on what's going on.
"There's nothing like pain to get people's attention," he added.
However, 21 percent of companies never do this kind of testing at all.