Report: Organizations recognize security risks, slow to take action
A recent study has found a significant gap between perceived risk and the actual safeguarding of sensitive data.
Businesses continue to struggle to prioritize safeguarding confidential data despite with 72 percent having suffered a data breach over the last year, according to a recent report.
Even though significant breaches at Target and other companies have shown just how devastating a breach can be, companies have been slow to adopt appropriate safety measures — only 51 percent of 1,587 IT executives surveyed by the Ponemon Institute for “The State of Data Centric Security,” gave high priority status to securing confidential data.
The gap between perceived risk and extant practice is surprising, Larry Ponemon, chairman and founder of the Ponemon Institute, said in a Wednesday email correspondence with SCMagazine.com, especially considering more than half, 58 percent, said the breaches their companies suffered could have been avoided.
While 79 percent understand that their companies are at serious risk when they do not where sensitive and confidential data is located — 59 percent of the retailers surveyed said that “keeps me up at night”
— many face challenges that prevent them from implementing security measures.
“Most respondents recognize the very significant business risk facing their organizations as a result of insecure data assets,” Ponemon said. “Despite this recognition, many respondents acknowledge they do not have the people, process and technology to curtail this serious risk.”
In fact, respondents indicated that they are feeling the sting of limited resources and skillsets. The report, sponsored by Informatica, found that 57 percent would like to have more skilled security professionals on staff.
The skyrocketing volume of data alone continues to pose problems.
“The increase in data from all sources increases the risk of data breach and other privacy-related snafus for organizations,” said Ponemon. “Mobile devices, mobile workforce and employees' use of insecure cloud apps further exacerbate this risk.”
Ponemon advocates a data-centric approach to security, which, he said, establishes “a holistic framework that helps organizations cope with massive increases in both structured and unstructured data.”
First and foremost, organizations must “determine the location of information assets and the control practices that exist to protect it,” he said.
From there, they must create a governance process that prioritizes information based on its importance or risk the company, then applies rules and policies to use and propagation of the data.
“Third, organizations should invest in technologies that help IT and IT security practitioners to gain visibility over the information lifecycle (i.e., creation, collection, use, sharing and retention of information assets),” Ponemon said.
And lastly they must “establish metrics for success to ensure that the above steps are reducing the risk of data loss or theft,” he said.
If companies do not close the gap between needing to protect data and actually protecting it, especially business-critical information assets, they could face costly consequences “in terms of customer churn, diminished reputation and legal actions,” Ponemon said.
“In short, ‘ignorance is bliss' is not an acceptable defense," he added.