Seventy percent of organizations storing third party data are not ‘very confident’ that the sensitive data stored within their organization is protected, according to a survey conducted by Varonis, a provider of data governance software. With 80 percent of organizations surveyed storing sensitive information from customers, clients, vendors and business partners, rather disconcertingly over half were only ‘fairly confident’ that it is protected. Nearly one fifth were ‘not confident at all’ that sensitive data is protected and 5 percent were left ‘unsure’.
This means that the majority of organizations in this study are failing to comply with Sarbanes-Oxley, the UK Data Protection Act 1988 and the EU Data Directive on Privacy which may result in organizations being subject to 2 percent fines of global revenue, the report noted. David Gibson, director of strategy for Varonis, said it’s worrying that so many companies are still complacent when it comes to data protection.
“It means that these organizations would have some serious questions to answer should they suffer a breach. In fact, regulators such as the SEC, ICO and EU would likely deem that they had failed in their obligation to provide appropriate security protection to prevent sensitive data breaches and impose a hefty financial penalty,” he said. “It’s really not rocket science — if you’ve got sensitive data and you’re not very confident that it’s adequately protected, you need to take action."
When looking at the difference between organizations, of those who claimed to be very confident that their data was protected, 60 percent were very confident that they know where their sensitive data is stored. Over 40 percent monitor all actual access activity and assign owners to all folders and intranet sites. Additionally, 65 percent review and revoke permissions — 45 percent do so regularly, so not just when someone leaves the organization. Perhaps unsurprisingly, those who are not confident that the data within their organizations is protected do not know where their data is stored (10 percent), do not monitor all data access (0 percent), do not have owners assigned for all data (3 percent), and less regularly review and revoke access.
One interesting statistic was the confidence level of IT security personnel their responses fell more into either extreme, with a higher percentage saying they are either very confident (33 percent) or not confident at all (26 percent). The gaps between the very confident and the other confidence levels were wider than for non-security personnel, especially in access activity monitoring, and knowing where third party data resides. The gaps between the fairly confident and the not confident at all were narrower for security personnel than non-security personnel.
“The good news is that most respondents report that their organizations have at least partially implemented fundamental processes and controls for data protection, and there is a clear blueprint for how organizations can increase their data protection maturity,” the report concluded. “The fairly confident report to have all of the fundamental processes and controls in place for at least some of their data they now need to expand their practice and use to move into the realm of the very confident.”
To read the original eWeek article, click here: Business Lack Confidence in Data Security: Report
