Information is the new currency of business and this year progress has been made to secure it, but there is still work to be done, according to a worldwide study released Wednesday at a seminar in New York.
Case in point: The study found that though security technology implementation is increasing, many companies don't know where all their important data is located.
The sixth annual study titled, “The State of Information Security 2008,” was conducted in part by PricewaterhouseCoopers.
More than three out of 10 respondents had trouble answering basic information about their company's key information inventory, according to the study. Some 71 percent of respondents said their organization does not have an accurate inventory of where personal data for employees and customers is stored.
“How do you know what to protect if you don't know what you have and where it is?” Mark Lobel, a principal in the Advisory practice of PricewaterhouseCoopers, asked the audience Wednesday at the "2008 Global State of Information Security" seminar, held at PwC's headquarters in midtown Manhattan.
There was plenty of good news. The study concluded that increases in implementation of new security technologies were shown across all industries and countries, including encryption, web security, and intrusion detection and prevention.
Deployment of laptop and database encryption each increased by 10 percent from 2007. Implementation of web and internet content filters jumped from 51 percent in 2007 to 69 percent in 2008, the study showed. And more companies are creating security policies and reviews.
The study also showed some regional improvement trends over the past year. India has seen dramatic increases in security, surpassing almost all countries in the world. China has also improved, but at a slower rate. Overall, Asia is now on par with North America in their security practices.
But there are additional areas that need improvement.The study found that there is a disconnect between the view of compliance and what is actually happening. Some 73 percent of respondents estimated users are complying with internal security policies, but only 43 percent audited compliance with security policies. Even C-level executives disagree whether security spending and security policies were aligned with business objectives.
Lobel posed three "calls to action" to companies at Wednesday's seminar. Ideally, he said, companies should respond with a "yes" to the following questions: Do you know what data you have? Do you have a strategy that includes people, processes and technology? Do you have a leader in you company to guide it and pull it all together?
“What we need is leadership -- and a plan,” Lobel said.