Data Security Policies Are Improving, but Risks Keep Rising

More than half (51 percent) of the organizations surveyed maintain multiple data protection policies, a Lumension report finds.

lumension and it security

IT security departments are responding to data security risks with better policies, improved technology approaches and financial commitment, according to a worldwide study of more than 700 IT professionals by endpoint security specialist Lumension Security.

The majority (51 percent) of organizations surveyed now maintain multiple data protection policies, up 16 percent from when the question was first asked in 2012.

In 2014, 27 percent said they consider their data security policies exhaustive while 18 percent said their policies are minimal, a decrease of 30 percent since 2012.

"There are three areas that organizations with limited budgets need to address when it comes to data protection—culture, policy and technical controls," Chris Merritt, director of solution marketing at Lumension, told eWEEK. "Everyone, from the CEO to the junior clerk, needs to think security in their daily actions."

However, organizations report a continued need to defend against different types of attacks, including malware (57 percent), software vulnerability exploitation (23 percent) and denial-of-service attacks (19 percent).

Survey results also indicated businesses struggle with related IT risks. On top of the list this year is accidental data loss by employees, cited by 40 percent of respondents. This represents a 10 percentage point increase from last year's level.

To combat these risks, organizations are also implementing security training. Of those that are doing so, 46 percent said they offer security training on a formal and ongoing basis and 28 percent do so on an informal, ad hoc basis. Both of these figures have increased from last year. However, 9 percent said they offer no security training.

"I think we will continue to see an ever-evolving, more sophisticated onslaught of malware attacking through various means such as phishing, bad apps, drive-bys and so on," Merritt said. "We will see continued growth in two areas in particular: malware designed to attack Macs—Apple OS X systems—and designed to attack mobile phones, both iOS and Android."

Just 8 percent maintain an "open access" policy while a fifth allow access with employee education and 16 percent limit access to higher-level staff. Additionally, one-fourth permit "controlled access" while more than one-fourth restrict access.

Those that assign less than 2 percent of their IT budgets to security fell 26 percent from last year and those that dedicate as much as 10 percent grew by 34 percent.

"The area that I think we'll see the biggest noise in 2015 is destructive malware—be it ransomware meant to hold data hostage or truly evil malware designed to erase all digital information within an organization, such as was seen at Sony recently," Merritt said. "This trend is particularly worrisome because it does more than steal data. It can lead to severe business disruptions or even going out of business, as it has done in a couple of cases recently."