First and foremost, organizations must “determine the location of information assets and the control practices that exist to protect it,” he said.
From there, they must create a governance process that prioritizes information based on its importance or risk the company, then applies rules and policies to use and propagation of the data.
“Third, organizations should invest in technologies that help IT and IT security practitioners to gain visibility over the information lifecycle (i.e., creation, collection, use, sharing and retention of information assets),” Ponemon said.
And lastly they must “establish metrics for success to ensure that the above steps are reducing the risk of data loss or theft,” he said.
If companies do not close the gap between needing to protect data and actually protecting it, especially business-critical information assets, they could face costly consequences “in terms of customer churn, diminished reputation and legal actions,” Ponemon said.
“In short, ‘ignorance is bliss' is not an acceptable defense," he added.