Today's companies, clearly very good at collecting data, seem "less savvy when it comes to how to classify and manage it."
That's the conclusion of a survey among 100 IT executives and others conducted by global consulting firm Protiviti, which finds that there is "limited or no understanding of the difference between sensitive information and other data" at nearly a quarter of the companies participating in its survey.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The report is titled "The Current State of IT Security and Privacy Policies and Practices." Its topic: how organizations classify and manage the data they accumulate, and specifically how they ensure customer privacy when they handle sensitive data, and how they comply with federal and state privacy laws and regulations.
Holding data too long
The survey results were compiled in the 2011 Q4 and 2012 Q1 among CIOs, security officers, IT audit vice presidents, and others from companies in a variety of industry sectors. Nearly 70 percent were from companies with $1 billion or more in revenue.
"Organizations have made significant strides over the past decade integrating enterprise applications and collecting terabytes of valuable customer, supplier and employee data," Kurt Underwood, Protiviti's managing director, and global head of IT consulting, said in a press release. "However, our survey shows that many companies are holding onto more data than is prudent and for longer time frames than necessary, which poses significant data security and privacy risks. There are opportunities for executives to significantly reduce legal exposures, while driving sensitive data management improvements and cost savings."
In the survey, 23 percent of respondents said senior management appeared to have "limited or no understanding" of the difference between sensitive information and other data, while 26 percent believed senior managers had an "excellent" understanding of these differences.
Said Cal Slemp, Protiviti managing director, and head of IT security and privacy: "This basic understanding of what constitutes 'sensitive' is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle - from collection to destruction. Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks."
Data classification policies
The survey also found that 69 percent of companies in the study believe they have a clear data classification policy for categorizing information as sensitive, but only 50 percent have specific plans for classification -- "suggesting a possible gap in data management."
It also showed 86 percent of respondents having an "acceptable use" policy to control data leakage, with 81 percent have a record retention and destruction policy, and 75 percent having a written information security policy and 65 percent having a data encryption policy.
"Organizations with these kinds of data leakage policies in place considerably reduce their risk of substantial legal finance and reputation damage," according to Underwood.
Nearly three of every four companies in the survey said they had a crisis response plan in place for data-breach and hacking incidents. But 27 percent of the executives questioned either didn't have companies with such a policy, or didn't know if a policy existed.
Also, only 2 percent said their firms stored sensitive information in the cloud, a result indicating to Protiviti that migration to cloud computing may be slower than is generally thought -- at least in cases of sensitive-data storage. Seven of 10 respondents said their companies use on-site servers for sensitive storage.