Trustwave found surprising data security trend in its 2014 risk status reports, which included the fact that most companies don’t have mature approach to control and track sensitive data.
For data security issues, enterprises have high degree of awareness of legal responsibility but they don’t figure out how to control risks by tracking sensitive data. The report interviewed 476 IT professionals in more than 50 countries, most of which were in the United States and the United Kingdom. According to the report, 63% of enterprises don’t have mature approach to control and track sensitive data.
“This means that many enterprises don’t know what their sensitive data is and where it is, who can access it and its mobile location,” senior vice president of Trustwave, Phil Smith, said, “This type of information is the first step of building security strategy.”
If enterprises don’t know what their sensitive data is and where the data is, then how do enterprises protect the data? Smith said the first part of risk assessment is to identify the location of enterprise’s sensitive data. Enterprises should know what sensitive data is, where it is and its movement and who has right to access it.
The report also found that while 58% of enterprises use third party program to manage sensitive data, but 48% of enterprises actually don’t deploy third party management program.
“Many companies (especially retail) outsource payment process to third party vendors, letting them access sensitive payment information,” Smith said, “however, they don’t know how these providers protect their data.”
Secure payment processing issue is particularly important, especially in 2014 so many retail data leak issues occurred. Smith recommends enterprises to communicate with their third party providers, so that each party knows what their responsibilities are in data protection. In addition, he recommends that enterprise should build secure requirements in the contract with third party provider.
Although enterprises may not protect all data, but Trustwave’s survey found that enterprises had high degree of awareness of the legal responsibilities. 60% of enterprises said they knew their legal responsibility of protecting sensitive data. The survey found that only 21% of enterprises didn’t have any training in secure awareness, which means that most enterprises actually had some forms of security training programs.
In addition, most respondents indicated that the deployment of control over BYOD was already in place. Only 38% of respondents indicated that their companies didn’t have any control on BYOD.
Smith said: “There are still a lot of companies do not have security policies and procedures foucus on BYOD.”
Patch management is an important part of corporate security, but the study found that 58% of enterprises didn’t have mature patch management process. Smith pointed out that in many cases, enterprises focus on deploying more strict access control, intrusion prevention/detection equipment and other perimeter security, but put patch repair and existing system maintenance on lower priority.
Another important finding of the survey is that the board of directors highly involves in enterprise security. 45% of enterprises have the board of directors or executive-level management involving in security affairs. Security is a top-down problem.
“All sectors of enterprises should consider security as an important issue, from IT professionals to non-technical staff and management,” Smith said, “C-level executives should not only ask their IT team whether our data is safe? It should also be asked how our data is protected? What control measures is deployed? “