Businesses are failing on security and good data practice

Businesses are failing to maintain proper security and are still not managing data properly, when looking at the big picture as revealed by a new piece of research from Protiviti.

The firm's 2014 IT Security and Privacy Survey, the third one it has undertaken, took in the opinions of some 340 CIOs, CSOs, IT directors, managers and IT auditors, and highlighted some major weak areas where businesses need to clean up their security act.

For starters, businesses are not prepared for crisis scenarios, with the survey finding an increase year-on-year in the number of companies without a crisis response plan to follow in response to a data breach or hack.

Businesses also lack "high confidence" in their ability to prevent a data breach or cyber-attack, and there is a feeling that attackers are highly creative, difficult to deal with, and a breach is somehow inevitable at some stage.

As regards proper data policies, one in three firms don't have a written information security policy, and 40 per cent of data lacked an encryption policy. A quarter of the companies surveyed didn't have acceptable use or record retention/destruction policies – all of this being quite worrying, particularly when you consider that the percentage of organisations which retain all data has more than doubled according to Protiviti.

Related: A worrying 1 in 5 businesses lose data to mobile device theft

On a more positive note, three out of four boards had a "a good level of understanding" of IT security risks, but one in five was found to have a "low level of engagement" in terms of addressing important data security risks.

Organisations are becoming more aware of their data lifecycle (how long information is stored, and indeed where), and CIOs and CSOs are "more engaged" when it comes to "taking on the primary responsibility for security policies" compared to previous years. So some progress is being made, as Ryan Rubin, managing director of Protiviti, noted.

Rubin said: "Our survey results tell a story of gaps between where companies currently stand and where they should be in relation to fundamental elements of IT security. Some progress has been made since our last survey, yet many organisations still fall short of important standard protocols for IT security and privacy. Companies need to take more action in relation to the risks they recognize to better protect their crucial data."

Read more: EU Data Protection Directive: How to minimise your financial risk