Companies fail data protection benchmarks
- 11 December, 2007 14:28
Only one in 10 organizations have taken steps to protect sensitive company data proving most firms are laggards when it comes to data protection.
Research from the IT Policy Compliance Group shows a correlation between the protection of sensitive data and regulatory compliance results.
"Firms that excel at protecting sensitive data also perform well on regulatory compliance audits," the benchmark report said.
Titled "Core competencies for protecting sensitive data" the report surveyed more than 450 organizations globally and examined the firms with the least amount of sensitive data loss (leaders) and those that experience the most amount of data loss (laggards).
Information Systems Audit and Control Association (ISACA) international president, Lynn Lawton, said the research shows the importance of defining fewer policies or control objectives, pursuing more frequent assessments and leveraging IT change management to prevent unauthorised use or change to data.
Lawton said the leaders define an average of 30 control objectives and conduct assessments once every 19 days. These firms experience two or fewer data losses and thefts annually, and two or fewer compliance deficiencies annually.
Meanwhile, the laggards define an average of 82 control objectives and conduct assessments once every 230 days. Laggards experience 13 or more data losses and thefts annually and 22 or more compliance deficiencies annually.
"Several recent events have demonstrated how damaging the loss of data can be to an organisation's reputation and strategic objectives. It is critical to ensure that risk-based controls are in place to deter data loss and theft, and that those controls are regularly tested," Lawton said.
"Successful organisations focus on selecting the most relevant controls, instead of simply implementing a large number. The survey results clearly demonstrate that selecting, implementing and communicating the key controls, and regularly assessing their effectiveness, is a more practical approach and gets better results than constantly adding to a complex maze of uncoordinated isolated controls."
The research indicates that the quality of controls is not as important as their appropriateness for specific risk and the frequency of controls assessment.
Organisations not implementing risk-appropriate controls and not assessing the effectiveness of procedural and technical controls frequently enough are highly predisposed to data loss and theft.
Managing director of the technology risk practice at Protiviti, Rocco Grillo, said protecting customer and employee data as well as intellectual property has never been as important as it is today due to the rapid increase of compliance requirements and reputation risk.
"Yet data security breaches and identity thefts continue to occur. Even though controls cannot fully guarantee protection, companies need to conduct the appropriate level of due diligence in information security and risk management," Grillo said.
"Proven programs to maintain and increase effective security and safeguarding of sensitive data have had enormous payback in protecting valuable information from theft or loss. Gone are the days where management can sit back and wait for a crisis or incident to spur them into action - everyone needs to be proactive."
Organisations surveyed were located across the globe including the United States, Australia, Canada, France, Germany, Ireland, Japan, Spain and the United Kingdom.