Seventy percent of organizations storing third-party data are not "very confident" that the sensitive data stored within their organization is protected, according to a survey conducted by Varonis, a provider of data-governance software. With 80 percent of organizations surveyed storing sensitive information from customers, clients, vendors and business partners, more than half were only "fairly confident" that it is protected. Nearly one-fifth were "not confident at all" that sensitive data is protected, and 5 percent were "unsure."
This means that the majority of organizations in this study are failing to comply with Sarbanes-Oxley, the United Kingdom Data Protection Act of 1988 and the EU Data Directive on Privacy (which may result in organizations being subject to 2 percent fines of global revenue), the report noted.
It's disconcerting that so many companies are still complacent when it comes to data protection, said David Gibson, director of strategy for Varonis.
It means that these organizations would have some serious questions to answer should they suffer a breach. In fact, regulators such as the SEC, ICO and EU would likely deem that they had failed in their obligation to provide appropriate security protection to prevent sensitive data breaches and impose a hefty financial penalty, he said. It's really not rocket science; if you've got sensitive data and you're not very confident that it's adequately protected, you need to take action."
When looking at the difference between organizations, of those who claimed to be very confident that their data was protected, 60 percent were very confident that they know where their sensitive data is stored. More than 40 percent monitor all actual access activity and assign owners to all folders and intranet sites. Additionally, 65 percent review and revoke permissions; 45 percent do so regularly, not just when someone leaves the organization.
Those who are not confident that the data within their organizations is protected do not know where their data is stored (10 percent), do not monitor all data access (0 percent), do not have owners assigned for all data (3 percent), and less regularly review and revoke access.
One interesting statistic was the confidence level of IT security personnel; their responses fell more into either extreme, with a higher percentage saying they are either very confident (33 percent) or not confident at all (26 percent).
The gaps between the very confident and the other confidence levels were wider than for nonsecurity personnel, especially in access-activity monitoring, and knowing where third-party data resides. The gaps between the fairly confident and the not confident at all were narrower for security personnel than nonsecurity personnel.
The good news is that most respondents report that their organizations have at least partially implemented fundamental processes and controls for data protection, and there is a clear blueprint for how organizations can increase their data protection maturity, the report concluded. The fairly confident report [that they] have all of the fundamental processes and controls in place for at least some of their data. They now need to expand their practice and use to move into the realm of the very confident.