Auditors concerned companies not taking data security seriously
Data compliance is likely to be the one of the biggest business issues affecting enterprise IT over the next 12 to 18 months. Yet many businesses have no strategy in place to secure their data.
A survey from information security professionals association ISACA of nearly 2500 IT, security, audit and assurance managers from around the world found that the huge influx of data security regulations is starting to have an impact on business.
New or updated legislation likely to impact data security in the coming year includes Basel, Frank-Dodd, PII, Do Not Track, Solvency II and HITECH Meaningful Use. Other factors include the rush to embrace new technologies like cloud computing and avoidance of high profile breaches
However, a survey conducted by the Ponemon Institute sponsored by Thales e-Security claims that many businesses are still not taking data security seriously and have little or no strategy for deploying data security technologies.
More than 500 auditors were surveyed for the report, with roughly half representing internal IT security audit teams and the remainder representing independent external audit companies and consultancies. Only a third of those surveyed said the organisations they audit are proactive in managing privacy and data protection risks with less than half (45%) applying sufficient resources to achieve their data compliance requirements.
One of the key findings was that 71% of the auditors surveyed believe that an organization’s information assets cannot be fully protected without the use of cryptography. Eight in ten believe that sensitive or confidential data should be encrypted whenever practical.
The areas where they considered cryptography to be most urgent were internal applications, external service providers (particularly cloud based software-as-a-service), end user devices (laptops and desktops) and external business partners. These are the areas identified as the greatest source of audit failures.
The survey claims that the use of encryption is no longer debated - the question for businesses is how, when and where to use the technology. What organisations now need to do is ensure they adopt a strategic approach, identifying and then following best practice when deploying cryptography to ensure they not only meet compliance around data protection but also serve their wider security and operational needs.
There seems to be some consensus among data security experts that the variety and volume of threats is on the increase and that security will suffer if organizations do not adopt a business-wide strategy, rather than dismissing it as an IT concern.