It’s funny in a way that many posts in this space of late are focused on cyber security – funny because I’m at heart a technophobe that can’t stand how much of modern-day life now relies so heavily on electronic interfaces.
[For example, I still write checks and use the postal service to pay bills, despite now long-term efforts by banks and various utility companies to get me to use electronic bill-pay services. Simply put: ain’t gonna do it.]
Yet despite all my aspirations to be a later-day Luddite, there’s simply no escaping for me – or anyone else for that matter – the tentacles of the cyber world. I rely on a PC (considered practically a Neolithic tool by now, worthy of only cavemen) to craft the written word, while using digital cameras to take pictures and video to be posted to the web.
Movies and music are now all digital in my household (oh how quaint the VCR tapes and vinyl albums do look gathering dust upon the shelves) and I rarely make air travel reservations by phone with a real live human being.
But living as we do in the almost all-digital age means exposing more of our daily lives electronically, too – and that is why cyber security, for individuals, businesses, and governments alike, is just such a critical need these days.
The firm discerned that despite broad recognition that cyber threats are more prevalent than ever before, nearly a third of companies it polled said they are not adequately prepared to respond to a data breach or IT security crisis.
Protiviti survey – conducted over the first two quarters of this year – canvassed 194 information technology executives and professionals at companies with gross annual revenues ranging from less than $100 million to greater than $20 billion.
More than two-thirds (68%) of respondents in Protiviti's survey said they have elevated their focus on information security in response to recent press coverage of so-called "cyber warfare," meaning they are well aware of the growing dangers in the cyber world.
Yet the number of companies that appear inadequately prepared for a crisis is surprisingly high, said Cal Slemp, managing director with Protiviti and global leader of the firm's IT security and privacy practice
When asked if their organizations have a formal and documented crisis response plan for use following a data breach or hacking incident, more than one-third reported that either their organizations did not (21%) or they did not know (13%), he noted.
"Cyber security must continue to be a major focus for businesses, especially in light of recent high-profile security breaches," Slemp stressed. "While we're seeing a greater number of companies across a wider range of industries devote more attention and resources to improving their approach to data security, there are still a lot of businesses that are susceptible to attacks."
According to Protiviti’s survey, many companies lack key data policies and are ineffective at managing data through proper retention and storage practices, including the classification of sensitive data.
Approximately 22% of companies do not have a written information security policy or “WISP” while 32% lack a data encryption policy. Not having these policies in place is an important consideration when a breach involves information covered by data privacy laws and can expose an organization to significant legal liability, Slemp pointed out.
Companies also lack clarity on what constitutes data as sensitive, confidential or public, with only 63% of respondents reporting that their organizations have a system for properly classifying data, he warned.
"The findings suggest many companies are either ineffective in securing the most important data or attempting to secure all data instead of focusing resources on data that presents the greatest risk, if exposed through a breach," Slemp noted. “However, in a positive development, there is year-over-year growth in the percentage of companies putting into place detailed schemes and policies to classify their data, which is key to understanding and securing an organization's most sensitive information.”
Another positive development is that, as data security continues to play a larger role in business operations and the use of so-called “big data” becomes more integrated with strategic business objectives, CIOs are seeing their responsibilities increase.
Protiviti’s survey showed that more CIOs are taking responsibility for data governance strategy, oversight and execution within their organizations. Additionally, companies with documented crisis plans enacted in response to a data breach or hacking incident have now begun to involve their CIOs far more than ever before.
For example, in 2012, only 58% of the firms Protiviti polled reported that their CIO was involved in addressing such an incident compared to 72% in 2013 – an increase of 14%.
"The role of the CIO is becoming more prominent in organizations, in part, because of the importance of data, both in terms of advancing the business as well as managing risk," said Slemp. “The reality is that as data continues to evolve as a critically important asset, it must be managed differently, and more effectively than other assets."
Something to keep in mind as the reach of the cyber world will only continue to expand.