Findings of a new survey conducted by risk consulting firm Protiviti shows positive progress for organisations – an increasing number now have boards of directors and management that are actively engaged with cyber-security.
Protiviti's 2017 Security and Privacy Survey shows that current board engagement in things like adopting best practices in their IT departments is currently at 33 percent, compared to 28 percent in 2015.
The Protiviti 2017 Security and Privacy Survey delivers insights on the specific security policies and qualities that distinguish top-performing companies from other organisations. The survey also offers trends to watch for and identifies prime action items technology leaders can take to strengthen their companies' security capabilities.
“Despite a positive trend towards increased levels of engagement observed from senior management and the board on cyber-security matters, a high percentage of organisations are still lacking confidence in their ability to identify their most valuable data assets - the ‘crown jewels', said Ryan Rubin, managing director of security and privacy services within the UK.
Rubin added: “This will become even more challenging as organisations further adopt cloud and mobile computing to support new digital initiatives and increasingly rely on third parties to support their business initiatives.”
Other key findings from Protiviti's survey show that having an engaged board and a comprehensive set of security policies make a huge difference – in assessing the results for companies in which the board has a high level of engagement in information security, these organisations rate considerably higher than other companies in nearly all facets of information security best practices.
The same holds true for organisations that have all of the core information security policies in place. When it comes to security, these foundational qualities distinguish top-performing organisations from the rest of the pack.
A concerning number of companies – nearly one in five – cannot confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme and effective policies that are supported across the enterprise.
People, as well as policies, are key to an effective security programme. Security policies are best supported with training programmes and communications for employees, who are often responsible, unintentionally or otherwise, for enabling data and security breaches. Organisations should focus on promoting a culture of security policy compliance.
Vendor risk management must mature – As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organisations and other companies when it comes to overall knowledge of vendors' data security management programmes and procedures – areas that might stand between an organisation's crown jewels and cyber-attackers.
Rubin concluded: “Without clarity on what to protect and where additional protection is needed, organisations run the risk of over investing in security to cover areas that are less critical and under-investing in critical business areas. A clearer focus on the ‘crown jewels', along with more effective policies and organisational processes, will help to reduce these risks from materialising and impacting organisations when security incidents occur.”