Are Companies Becoming More Engaged with Cybersecurity Risks?
With global cybercriminal risk at an all-time high, the findings of a new survey conducted by global consulting firm Protiviti show positive progress for organizations – an increasing number of them have boards of directors and management that are actively engaged with cybersecurity and adopting best practices in their IT departments. Protiviti’s 2017 Security and Privacy Survey shows that current board engagement levels are at 33%, compared to 28% in 2015.
“While the increase in boards of directors’ and company management’s engagement with information security is a positive sign, it’s imperative that leadership keeps closer tabs on the state of their organizations’ cybersecurity programs,” said Scott Laliberte, a Protiviti managing director and leader of the firm’s global IT security and privacy practice. “Particularly as new technologies are introduced and new approaches to generating revenue are deployed, it’s increasingly important to reexamine existing data security and privacy processes on a regular basis – ensuring that the right systems and people are in place to keep pace with changes.”
Key findings from Protiviti’s survey include:
- Having an engaged board and a comprehensive set of security polices make a huge difference – In assessing the results for companies in which the board has a high level of engagement in information security, these organizations rate considerably higher than other companies in nearly all facets of information security best practices. The same holds true for organizations that have all of the core information security policies in place (as recommended by Protiviti). When it comes to security, these foundational qualities distinguish top-performing organizations from the rest of the pack.
- A concerning number of companies – nearly one in five – cannot confidently identify or locate their most valuable data assets. Protecting these “crown jewels” requires a data classification scheme and effective policies that are supported across the enterprise.
- People, as well as policies, are key to an effective security program. Security policies are best supported with training programs and communications for employees, who are often responsible, unintentionally or otherwise, for enabling data and security breaches. Organizations should focus on promoting a culture of security policy compliance.
- Vendor risk management must mature – As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps currently exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures – areas that might stand between an organization’s crown jewels and cyber-attackers.
The percentage of companies that have adopted what Protiviti considers and recommends – as five core information security policies to have in place are:
- An acceptable use policy (80%)
- A records retention/destruction policy (78%)
- A data encryption policy (70%)
- A written information security policy (69%)
- A social media policy (59%)
However, there is significant progress to be made because only 38% of surveyed companies have all five information security policies in place today.
The Protiviti 2017 Security and Privacy Survey delivers insights on the specific security policies and qualities that distinguish top-performing companies from other organizations. The survey also offers trends to watch for and identifies prime action items technology leaders can take to strengthen their companies’ security capabilities.