Most Organizations Don't Properly Secure Sensitive Data, Report Finds

The "2014 State of Risk Report" from Trustwave spots a few surprising data security trends, including the fact that most organizations don't have a fully mature method to control and track sensitive data.

data security

When it comes to data security, there is a high degree of awareness of the legal responsibilities, but not as high an understanding of how to limit the risk by tracking sensitive data. That's one of the key takeaways from the "2014 State of Risk Report" from security vendor Trustwave.

The report includes responses from 476 IT professionals from 50 countries, with the majority of respondents in the United States and the United Kingdom. According to the report, 63 percent of organizations today do not have a fully mature method to control and track sensitive data.

"That means many businesses do not know where their valuable data lives, who has access to it and where it moves," Phil Smith, senior vice president of Government Solutions and Special Investigations at Trustwave, told eWEEK. "That kind of information is the first step in building a security strategy."

If an organization doesn't know what its valuable data is and where it exists, then how can the company be expected to protect that data? Smith asked. So, he said, the first component of a risk assessment should be identifying where sensitive data is in an organization. Businesses should know what sensitive data is present, where it is located, where it moves to and who has access to it.

The report also found that while 58 percent of businesses use third parties to manage sensitive data, 48 percent don't actually have a third-party management program in place.

"Many businesses—especially those in retail—outsource payment processes to third-party providers, giving them access to sensitive payment card information," Smith said. "Yet, they do not know what those providers are doing to protect it."

The issue of secure payment processing is particularly important, especially in light of the many high-profile data breaches at retailers in 2014. Smith suggests that businesses open the lines of communication with all third-party providers they use, so that each party knows its responsibility when it comes to data protection. In addition, he advised that businesses build security requirements into their contracts with third parties.

While businesses might not be doing all the right things to secure data, the Trustwave study found that there is a high degree of awareness when it comes to legal responsibilities. Sixty percent of businesses indicated that they are aware of their legal responsibilities for keeping sensitive data safe. The study found that only 21 percent of businesses have not have any security awareness training, meaning that the majority do in fact have some form of training program in place for security.

Additionally, the majority of the respondents to the study indicated that bring-your-own-device (BYOD) controls are in place in their businesses. Only 38 percent of respondents noted that there are no BYOD controls present in their organizations.

"There are still a significant number of businesses who do not have security policies and procedures in place surrounding BYOD," Smith said.

Patch management is a key part of having a secure enterprise, yet the study found that 58 percent of businesses don't have a fully mature patch management process in place. Smith noted that in many cases there is a focus on implementing stronger access controls, intrusion prevention/detection devices and other perimeter security, leaving patching and maintaining current systems lower on the priority list.

"There may also be an issue with legacy systems that may not be in a place that can be patched and so organizations do not have an update process in place," he said.

Another key finding from the study is that board-level participation in company security is strong. Forty-five percent of businesses have board- or senior-level management who take a partial role in security matters. Smith noted that security is a top-level-down issue.

"Every individual in a company needs to make it a top priority, from the technical IT pros to the non-technical employees and executives," Smith said. "C-level executives should be asking their IT team not only, 'Is our data protected?' but also, 'How is our data being protected? What controls are in place? Show me.'"

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.