The Battle Continues Working to Bridge the Data Security Chasm. Assessing the Results of Protiviti s 2015 IT Security and Privacy Survey

Transcription

1 The Battle Continues Working to Bridge the Data Security Chasm Assessing the Results of Protiviti s 2015 IT Security and Privacy Survey

2 EXECUTIVE SUMMARY Cyber concerns and discussions abound in companies today. From the boardroom and C-suite to IT, Legal, Finance and more, every corner and function of the business appears intent on addressing these issues aggressively. But are these intentions translating into effective policies and actions to secure the crown jewels of organizations? The answers are mixed, at best, according to the results of Protiviti s latest IT Security and Privacy Survey. In last year s study, we identified notable gaps, or chasms, that separated top-performing companies from other organizations in terms of best practices in IT and privacy, as well as where these organizations needed to progress to bridge these gaps. Fast-forward a year, and as we note below in our Key Findings, many of these gaps remain. But there definitely are bright spots, starting with those organizations that have changed with confidence to become what we classify as top performers. In these organizations, the board of directors is highly engaged in, and there are strong frameworks that include fundamental information. Our Key Findings 1. Tone from the top is a critical differentiator From strong board information to management establishing best practice policies, effective begins with the right tone from the top, which is as important as any policy. Consider this question: Have we communicated to our people what we expect? 2. Having the right policies is the foundation of strong Organizations that have in place all core information including acceptable use, data encryption and more demonstrate higher levels of confidence and stronger capabilities throughout their IT activities. 3. Many companies lack critical policies and an understanding of their crown jewels One in three companies lack policies for and data encryption. Many have not identified critical systems or implemented data classification. And most lack a strong understanding of their most sensitive data and information, as well as their potential exposures. Such gaps open up the organization to cyberattacks and significant issues. 4. There aren t high levels of confidence in the ability to prevent an internal or external cyberattack While two out of three organizations report being more focused on cyber as a result of recent press coverage, most lack a high level of confidence that they can monitor, detect or prevent a targeted cyberattack, either from external parties or insiders. However, this mindset is not necessarily a bad thing in fact, it may be a healthy one if the perspective drives a focus on improvement. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 1

3

4 SURVEY METHODOLOGY Protiviti conducted its IT Security and Privacy study in the third quarter of More than 700 Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT Vice Presidents and Directors, and other IT management-level professionals completed an online questionnaire designed to assess and privacy policies, data governance, data retention and storage, data destruction policies, and third-party vendors and access, among other topics. Respondent demographics can be found on pages In our discussion of the results and our commentary, we make observations that may apply in different ways depending on an organization s specific profile size, type (public, private, nonprofit), industry, etc. Since completion of the survey was voluntary, there is some potential for bias if those choosing to respond have significantly different views on matters covered by the survey from those who did not respond. Therefore, our study s results may be limited to the extent that such a possibility exists. In addition, some respondents answered certain questions while not answering others. Despite these limitations, we believe the results herein provide valuable insights regarding IT and privacy standards in place in organizations today. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 3

5

6 RESULTS AND ANALYSIS Board Engagement, Proven Data Policies Are Keys to Effective Information Security As part of our analysis, we have identified two critical success factors that drive a strong IT and posture in organizations. 1. High level of engagement by the board of directors in risks 2. Having all core information in place In this year s survey, as well as in previous editions of this study and other Protiviti research, we have observed a strong correlation between the level of board and the posture of the organization. 1 In sum, companies with a high level of board engagement are more likely to have other best practices in place. In this survey, we also have observed a similar correlation between organizations that have all core information in place and those that don t, in that the former demonstrate stronger practices overall. Throughout our report, we compare the results from these two groups of companies that exhibit the above success factors, which we categorize collectively as top-performing organizations, with other companies that do not, and identify notable gaps. How engaged is your board of directors with risks relating to your business? All respondents Large companies ( $1B) Small companies (< $1B) High engagement and level of understanding by the board 28% 30% 32% 34% 24% 26% Medium engagement and level of understanding by the board 32% 41% 33% 45% 33% 36% Low engagement and level of understanding by the board 15% 20% 11% 12% 19% 30% Don't know 25% 9% 24% 9% 24% 8% Which of the following policies does your organization have in place? (Multiple responses permitted) All respondents Large companies ( $1B) Small companies (< $1B) Acceptable use policy 77% 76% 82% 84% 72% 69% Record retention/destruction policy 74% 76% 80% 84% 71% 71% Data encryption policy 67% 59% 79% 67% 58% 52% Written policy (WISP) 66% 66% 72% 79% 60% 52% Social media policy 55% 59% 61% 67% 50% 51% 1 We observed this same correlation in our 2015 Internal Audit Capabilities and Needs Survey. For more information, visit PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 5

7 Commentary Though the results in this year s study are comparable to our findings in 2014, we continue to encounter in the market a growing level of engagement and inquiry among board members in numerous facets of cyber. Board members are striving to understand what undoubtedly are complex technical areas, what investments are required and how effective the proposed solutions will be. This underscores the need for IT leaders to communicate these issues succinctly and at a high level for a non-technical audience. Of note, managing cyberthreats was ranked by board members and C-suite executives to be among the top risk areas for 2015, according to a study conducted by North Carolina State University s ERM Initiative and Protiviti. 2 Looking Ahead: Trends to Watch With boards of directors becoming more and more engaged in the IT programs and practices in their organizations, board members will be looking to their IT leaders to provide greater understanding and clarity around a complex subject. Information is also a growing area of focus for management and operational leaders. IT leaders should be as inclusive as possible in their communications regarding key initiatives. Action Items for IT Leaders Develop effective communications with the board either directly or indirectly regarding key top-line cyber initiatives. Ensure communications regarding and cyber efforts, particularly those going to the board, contain summarized high-level messages. Remember: Less is more, especially with board members who are assessing a broad range of information from different management leaders and have little time to review reams of technical information and data. With board-level communications, avoid technical jargon as well as heavy use of metrics and statistics. Focus on streamlined information consider how to deliver all key messages in just one or two pages. Such an approach may be appropriate for other members of management, as well. The communication and supporting metrics used with the board should have a clear linkage to operational and executive reporting already occurring. The messages, their justification and foundation, and the trends must be consistent throughout the organization. Plan for and request the budgets and resources necessary to build effective IT. Remember that boards are expecting IT leaders to ask for the resources they need to protect the organization. Also keep in mind that with board support come expectations that budgets and resources will be employed wisely to reduce risk at the organization. 2 Executive Perspectives on Top Risks for 2015 Key Issues Being Discussed in the C-Suite, North Carolina State University s ERM Initiative and Protiviti, 6 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

8 News Coverage Continues to Spur Interest in Cyberwarfare Broad media coverage of cyber breaches continues to drive high interest in information, as we have seen in the results of previous years surveys. How has recent press coverage on cyberwarfare and/or cyber affected your interest in, and focus on, the subject of? Significantly more interest and focus Somewhat more interest and focus No change in interest and focus Somewhat less interest and focus Significantly less interest and focus with engagement in information Comparing Top-Performing Organizations without high board engagement in information with all core information policies without all core information 23% 32% 34% 20% 25% 23% 36% 37% 33% 38% 33% 38% 38% 30% 29% 41% 39% 37% 1% 1% 3% 0% 1% 1% 2% 0% 1% 1% 2% 1% Commentary What is particularly noteworthy here is the fact that, for several years now, there has been substantial media coverage on cyber and cyberwarfare, with a commensurate level of interest in information among organizations. Yet we continue to find that press coverage is generating more focus on these areas, suggesting that even though interest levels were already high, they continue to grow. This underscores the top-of-mind nature of concerns for businesses today. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 7

9 Looking Ahead: Trends to Watch Regulations and regulatory oversight concerning cyber will continue to increase, with more requirements to notify stakeholders and the public in a timely manner of cyber incidents, data breaches and their impact. Such announcements undoubtedly will fuel further press coverage. Increasing press coverage will likely spur more questions from the board and management regarding the organization s state of cyber readiness and its ability to respond to a breach in an effective and timely manner. Action Items for IT Leaders To the extent possible, be proactive in communicating with management on a regular basis regarding cyber measures, including efforts that comply with legal and industry regulations. As noted earlier, strive to streamline communications with board members and the C-suite provide high-level, non-technical summaries of cyber measures, including but not limited to incident response plans. Implement easy-to-understand metrics to show the board and management you are attempting to measure effectiveness and progress. There will be expectations that controls will increase in maturity; therefore, ensure there are measures to support whether these controls are effective. 8 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

10 Confidence Levels in Preventing a Breach Aren t High But That May Not Be a Bad Thing This year s results regarding the confidence levels of organizations to identify and prevent incidents are comparable to those in our 2014 study. We see that for top-performing organizations, confidence levels trend significantly higher. On a scale of 1 to 10, where 10 is a high level of awareness and 1 is little or no awareness, please rate senior management s level of awareness with regard to your organization s exposures with with all core information 7.0 all core information On a scale of 1 to 10, where 10 is a high level of confidence and 1 is little or no confidence, rate your level of confidence that your organization is able to monitor, detect and escalate potential incidents by a well-funded attacker with with all core information 6.3 all core information PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 9

11 On a scale of 1 to 10, where 10 is a high level of confidence and 1 is little or no confidence, rate your level of confidence that your organization is able to prevent a targeted external attack by a well-funded attacker with with all core information 6.2 all core information On a scale of 1 to 10, where 10 is a high level of confidence and 1 is little or no confidence, rate your level of confidence that your organization is able to prevent an opportunistic breach as a result of actions by a company insider (employees or business partner) with with all core information 6.1 all core information Commentary While these results are virtually unchanged from our 2014 study, they should be viewed with an understanding that such confidence levels will not necessarily rise over time. Further, this is a constructive mindset for organizations to have. With regard to, companies cannot become complacent with their current practices and procedures, particularly as cyberattacks become increasingly sophisticated and multi-vectored. 10 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

12 Looking Ahead: Trends to Watch Most industry experts and regulatory authorities expect the frequency of cyberattacks to increase in the coming years. They should continue to garner significant news coverage and raise more questions to boards and management regarding the readiness of their organizations to both withstand and respond to attacks. The spectrum and sophistication of cyberattacks will continue growing, as well distributed denial of service (DDoS), advanced persistent threats (APTs), social engineering, malware and more. In addition, the types of black hat responsible parties are diversifying, ranging from joy riders and global hacking groups to nation states. And with turnkey hacking kits which require little or no technological sophistication to run becoming more prevalent, organizations can expect the number of potential threats to their to continue growing. Of note, in 2014 the median period of time that attackers were on a network before being discovered was 205 days, or more than six months. 3 Social engineering is particularly problematic for organizations. Capitalizing on the human side of exposures, as opposed to a technology weakness, has been judged to be the most effective method for cyberattackers to gain entry into IT systems and data. In our experience, we find that one in three people who are targeted in social engineering tests fall for the ruse. Additionally, it often is the people with the most tenure and organizational seniority that fall victim to these attacks. Action Items for IT Leaders Ensure the organization has a formal and documented crisis response plan that is tested on at least an annual basis (see page 27). Provide regular training to all personnel on cyber-related policies and corporate practices, including but not limited to identifying social engineering red flags. Implement controls that combat the social engineering attack vector two-factor authentication and proxy-based controls that might catch the malware before it installs or that disrupt the command and control communications if it does install. 3 FireEye Releases Annual Mandiant Threat Report Highlighting Insights Gained From Investigations of Advanced Attacks, February 24, 2015, PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 11

13 Implementing Effective Data Leakage Policies In the overall results, there is a troubling downward trend over the past three years, suggesting that fewer organizations are putting these policies into place. However, the numbers are substantially better for top-performing organizations. What types of policies does your organization have in place to prevent data leakage? (Multiple responses permitted) Password policy (or standard) 67% 77% 87% Data protection and privacy policy 58% 67% 74% Network and network devices policy 56% 59% 70% Users (privileged) access policy 56% 59% 72% Workstation/laptop policy 56% 59% 73% Encryption policy (or standard) 55% NA NA Information policy 54% 67% 77% Data classification policy 46% 53% 63% Incident response policy 45% 46% 64% Third-party access control policy 43% 49% 64% Removable media policy 38% 44% 49% Information exchange policy 31% 30% 35% Cloud acceptable usage policy 20% 24% NA Commentary It is puzzling to find that, overall, fewer organizations are implementing these policies, most of which are specifically called out as focus items in industry and government regulations. By not having these policies in place, organizations face potential legal liability along with significant risks. Of particular note, it is surprising to see that the percentages of companies with privileged access and cloud acceptable usage policies are so low, especially given the heightened risks these areas represent. There is some evidence in the survey results to suggest that the reason some of the policies were identified as not in place is because they are being updated. However, even if this is the case, organizations need to make it clear to their employees that the established policies still dictate expectations, even if they are in revision. The picture is much better for top-performing organizations in fact, there are wide gaps in the percentages between these and other companies. 12 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

14 What types of policies does your organization have in place to prevent data leakage? (Multiple responses permitted) with engagement in information Comparing Top-Performing Organizations engagement in information with all core information policies without all core information Password policy (or standard) 79% 63% 81% 59% Data protection and privacy policy 80% 50% 77% 48% Information policy 77% 45% 74% 43% Network and network devices policy 72% 50% 74% 47% Users (privileged) access policy 71% 51% 72% 48% Workstation/laptop policy 70% 50% 75% 45% Encryption policy (or standard) 77% 47% 77% 43% Data classification policy 69% 38% 69% 34% Third-party access control policy 57% 38% 68% 30% Incident response policy 68% 36% 67% 32% Removable media policy 57% 31% 65% 23% Information exchange policy 43% 27% 55% 18% Cloud acceptable usage policy 40% 12% 38% 9% KEY FACT Percentage of organizations, by level of board of engagement, that have an information policy High level of engagement by the board in risks 77% 45% Medium or low level of engagement by the board in risks PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 13

15 How does your organization communicate the expectations of its and procedures to employees? (Multiple responses permitted) We include policies and procedures in our annual training, which is mandatory for all employees. We have internally developed, specific training modules that we require all employees to take in addition to our standard annual training. We support participation by our employees in outside education on and procedures. We do not have any formal employee communications or training related to and procedures. All respondents with high board engagement in information Comparing Top-Performing Organizations without high board engagement in information with all core information policies without all core information policies 53% 65% 48% 72% 42% 34% 46% 30% 47% 27% 23% 39% 17% 30% 19% 23% 6% 29% 7% 31% Commentary Compared to our prior year results, more top-performing organizations appear to be supporting participation by their employees in outside education on cyber issues and practices. For many companies, conducting internal training sessions and communicating precisely what is applicable to their organizations is both important and advantageous. But if your organization has yet to define these things, outside training becomes a vital surrogate to ensure these issues are addressed with employees, at least until the organization has its training and communication approach defined and ready to implement. 14 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

16 Looking Ahead: Trends to Watch The growing sophistication of cyberattacks should generate more interest among organizations in having their IT teams achieve and maintain certifications such as ISO and PCI DSS. However, certification alone does not equal secure. IT functions still need to look at kill chain and controls that will prevent a breach from being successful. Social engineering will continue to grow in frequency and sophistication, underscoring the need for active employee training programs that are required for all staff and updated on a regular basis. The high failure rate organizations continue to experience when social engineering testing is performed is an indication that the current level and approach to employee training is probably insufficient. Accept that training alone cannot combat this problem and implement controls that help prevent social engineering from being successful. You may not be able to prevent employees from clicking on a link, but you can prevent malware from installing. Action Items for IT Leaders Leverage outside resources who are IT experts recognize that you may not have the knowledge in-house to conduct effective trainings, nor the resources to keep up-to-date on industry regulations, current approaches to cyberattacks, emerging trends and more. Set the right tone for the organization by establishing strong data leakage policies and communicating them. Even basic messages to staff are important, such as reminders to not open attachments from people you don t know. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 15

17 Understanding and Classifying Your Crown Jewels Overall, there is a downward three-year trend among organizations with a data classification scheme and policy in place. For top-performing companies, the news is better, with a strong majority having each of these policies in their organizations. Does your company have a clear data classification scheme 4 and policy 5 in place that categorize the organization s data and information sensitive, confidential, public, etc.? Scheme Policy Yes 50% 58% 63% 65% 71% 72% No 22% 33% 20% 15% 24% 18% Don't know 28% 9% 17% 20% 5% 10% Percentage of organizations with a clear data classification scheme and policy Scheme Policy with 72% 85% 42% 57% Large companies ( $1B) 59% 71% Small companies (< $1B) 45% 61% with all core information 72% 84% all core information 38% 54% Commentary More organizations and top-performing companies, in particular are stratifying their information assets, which is good practice. This drives greater efficiencies in the organization s overall information management by providing the basis for focusing on the most critical assets first. When it comes to classifying the organization s most valuable data in other words, its crown jewels some companies may be striving to achieve the perfect classification system and, until they do so, they are not moving forward. In our view, the preferred approach is to establish a sound classification system, basic or otherwise, and implement it. It is far better to have a system in place that in all likelihood is good enough, rather than experience endless delays in search of the perfect system. Among the many dangers of not classifying data formally is that companies may lack specific records or a responsible party who understands all of the organization s crown jewels. Employee records, pre-release financial data and intellectual property are information assets that commonly 4 Data classification scheme The groups or categories under which data is classified for example: highly classified/ secret, sensitive, internal use only, non-sensitive/public, etc. 5 Data classification policy The guidelines dictating how, when and where the organization including but not limited to all employees, functions and third parties working on behalf of the organization classifies, manages and secures its data. 16 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

18 come to mind as sensitive, but it often takes a devoted focus to remind the organization about unique processes or data types that are coveted by other organizations. Critical information may be forgotten or omitted from an ad hoc process. In addition, without a formal data classification scheme, certain information that would be considered highly valuable by third parties may not be viewed as such internally, thus may not be managed and secured accordingly. Without having a tool to help identify where sensitive data is, an organization likely does not have a handle on it. Structured data is easier to identify and control, whereas unstructured data could be anywhere. In the future, use of virtual desktop infrastructure and similar technologies can help prevent data from leaking by restricting functions such as copy, cut, paste, etc. This could be the way of the future for more companies. How would you rate your management s understanding of what comprises its crown jewels in other words, its sensitive data and information? Excellent understanding 29% 23% 27% Good understanding 45% 51% 48% Limited understanding 16% 22% 22% Little or no understanding 3% 3% 2% Don t know 7% 1% 1% Percentage of organizations in which management has an excellent understanding of what comprises its crown jewels in other words, its sensitive data and information 0% 100% 0% 100% 57% with 18% 47% with all core information 18% all core information Commentary The overall results show positive year-over-year movement in organizations that have an excellent understanding of their crown jewels. Similar to our 2014 results, there is a sizable gap in this category between top-performing companies and other organizations. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 17

19 If you have not done a full data classification, how would you rate your level of awareness with regard to what your crown jewels are in other words, your most valuable assets? with engagement in information Comparing Top-Performing Organizations engagement in information with all core information policies without all core information Very aware 40% 45% 63% 31% 57% 30% Somewhat aware 45% 46% 33% 50% 36% 50% Little awareness 10% 9% 3% 13% 5% 13% No awareness 5% 0% 1% 6% 2% 7% Commentary This is a question that board members increasingly are asking of management, who must know and be able to explain clearly how the organization is managing its crown jewels. IT leaders and staff should expect these inquiries to be passed on to them, as well, and be prepared to respond knowledgeably. We expect to see an accelerated emphasis from the board and executive management to ensure that this clarity in data sensitivity permeates the organization (including third parties) at all levels. From the following, please select the statement that best describes your organization s data retention and storage process We retain all data and records with no defined destruction date 12% 17% 9% We retain all data and records for a certain period of time, with a defined destruction date 45% 43% 38% We have a basic classification system to define data, with a few specific retention policies and destruction 14% 18% 25% dates depending on the classification We have a detailed classification system to define data, with varying retention policies and destruction dates 13% 15% 19% depending on the classification Our organization does not have a formal data retention and destruction policy 4% 5% 5% Don't know 12% 2% 4% 18 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

20 KEY FACTS Percentage of organizations with all core information in place that have a detailed classification system to define data Percentage of organizations without all core information in place that have such a system 22% 8% 10% 21% Percentage of organizations with a medium or low level of board that have such a system Percentage of organizations with a high level of board that have such a system How well do your C-suite executives (CEO, CFO, etc.) know and understand your organization s data retention and destruction policy? They know and understand the policy very well 34% 26% 30% They have some knowledge and understanding of the policy s general concepts 40% 48% 43% They have limited knowledge about the policy 16% 16% 18% They have little or no knowledge about the policy 5% 4% 7% Our organization does not have a formal data retention and destruction policy 5% 6% 2% Commentary The year-over-year results show positive growth in the C-suite s knowledge of data retention and destruction policies. Organizations should have metrics in place to test the effectiveness of these policies. Keep in mind that if you have a more aggressive retention policy, there is less data to breach. Percentage of organizations in which C-suite executives know and understand the organization s data retention and destruction policy very well 0% 100% 0% 100% 66% with 22% 53% with all core information 23% all core information PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 19

21 In your company, how well do you think management communicates to the organization/all employees the need to differentiate between public and sensitive data and how each is treated? with high board engagement in information Comparing Top-Performing Organizations without engagement in information with all core information policies without all core information policies Management does an excellent job of communicating these differences 23% 20% 23% 42% 15% 37% 15% and how to treat each type of data Management does an acceptable job of communicating these differences and how to treat 45% 50% 50% 46% 44% 47% 44% each type of data, but there is room for improvement There is substantial room for improvement in how management communicates 20% 22% 21% 9% 24% 10% 25% these differences and how to treat each type of data Management has not communicated these differences 5% 7% 4% 1% 7% 2% 7% or how to treat each type of data Don t know 7% 1% 2% 2% 10% 4% 9% Commentary Similar to last year s results, there are substantial differences between the results of top-performing organizations and other companies. This mirrors the results showing that top-performing organizations are more aware of and clear on their sensitive data assets. 20 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

22 Does your organization prioritize data that is processed and treated with special care? 0% 100% 0% 100% 83% with 51% without 75% with all core information 52% all core information Which of the following sensitive data types does your organization specifically prioritize? (Multiple responses permitted) with engagement in information Comparing Top-Performing Organizations without high board engagement in information with all core information policies without all core information Payment Card Industry (PCI) data 47% 40% 55% 43% 63% 35% Private client/ customer data 80% 76% 83% 79% 87% 75% Healthcare data 51% 34% 54% 50% 61% 44% Organization s intellectual property 63% 57% 77% 55% 78% 52% Commentary Note the significant jump in healthcare data this is understandable given the high value placed on stolen healthcare data by cyber criminals (healthcare is the most frequently breached industry), as well as the increased focus on HIPAA audits by the Office of Civil Rights (OCR) in the United States. Interestingly, the most noticeable differences between top-performing organizations and other companies is with regard to intellectual property (IP). One possible reason is that this information, unlike a lot of other data that companies retain and manage, is not regulated poor management of IP (such as product designs and licensing) will not result in regulatory fines. Thus while top-performing organizations may recognize the value of their IP and prioritize it accordingly, other companies may focus their attention more immediately on complying with regulations for other data: PCI, customer, healthcare, etc. Also of note, it is more difficult to configure data loss prevention tools to protect IP data. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 21

23 How would you rate your IT department s understanding of the lifecycle of the organization s data, from acquisition to retention/storage to (if applicable) destruction? Excellent understanding 27% 27% 21% Good understanding 47% 52% 46% Limited understanding 14% 16% 27% Little or no understanding 4% 3% 3% Don t know 8% 2% 3% Organizations in which the IT department has an excellent understanding of the data lifecycle 0% 100% 0% 100% 49% with 19% without 39% with all core information 20% all core information 22 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

24 Looking Ahead: Trends to Watch From a regulatory perspective, we are seeing fines increasing both in frequency and amounts. For example, the Federal Trade Commission has been assessing fines to companies for poor protection of sensitive data and information. Such fines very likely will continue to increase in the coming years. The rising risks and growing sophistication of cyberattacks being conducted by individuals and entities worldwide will likely lead to more regulations and oversight, as governments and regulatory authorities seek to build better protections of individuals and companies data. More regulations and greater fines will increase pressures on organizations to invest in data classification, driving them to make decisions faster on what their crown jewels are and move forward with securing them, as opposed to trying to first achieve the perfect classification system. Action Items for IT Leaders There is a proven logic path that organizations should follow as they work to understand and classify their data: 1. Determine what your crown jewels are, then identify where they are via self-assessment and confirm with the use of appropriate tools. 2. Identify the threats to these crown jewels. 3. Conduct a thorough threat and risk analysis. 4. Identify the inherent risks including the probability and impact of these threats and the processes and systems that are in place to minimize them. 5. Determine the residual risk after considering all current processes and systems to minimize the inherent risks. 6. Based on residual risk, evaluate the organization s program, frameworks and implementation to continually test and reduce residual risk, seek trends, and monitor metrics. 7. Develop an incident response plan that includes periodic and comprehensive testing, because in all likelihood the organization will experience a event of some kind. 8. Assess year-over-year trends in this process to identify where risks are receding and growing. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 23

25 A Look at the IT Security Organization To whom does the IT organization report in your company? Chief Information Officer 55% Chief Executive Officer 13% Chief Financial Officer 6% Chief Compliance Officer 4% Board of Directors 4% Other 5% Don t know 13% Approximately how many full-time professionals are employed in your IT organization? All respondents Large companies ( $1B) Small companies (< $1B) More than 50 37% 56% 20% 31 to 50 9% 7% 10% 16 to 30 10% 9% 11% 5 to 15 17% 11% 22% Less than 5 16% 5% 27% Don t know 11% 12% 10% Approximately what percentage of your organization s overall IT budget is dedicated to? All respondents Large companies ( $1B) Small companies (< $1B) 10% to 20% 35% 29% 40% 21% to 30% 12% 13% 11% 31% to 40% 5% 5% 5% 41% to 50% 1% 1% 1% More than 50% 1% 1% 1% Don t know 46% 51 % 42% Commentary While in a majority of organizations, as expected, the IT function reports to the CIO, it s important to note that is not just an IT issue. Some may want to consider changing this reporting structure in the future to the board or an executive with broader oversight of the organization. 24 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

26 Who is responsible for creating and overseeing data governance in your organization? Chief Information Officer 33% 41% 38% Chief Security Officer 25% 20% 16% Individual department leaders (HR, Legal, Marketing, etc.) 9% 14% 12% Chief Privacy Officer 5% 4% 4% Chief Financial Officer 4% 5% 2% Other 7% 8% 17% Don t know 17% 8% 11% Who is responsible for executing the data governance strategy/policy in your organization? Chief Information Officer 37% 41% 31% Chief Security Officer 19% 17% 18% Individual department leaders (HR, Legal, Marketing, etc.) 14% 20% 24% Chief Privacy Officer 5% 3% 3% Chief Financial Officer 3% 2% 1% Other 6% 8% 13% Don t know 16% 9% 10% PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 25

27 Slow Growth for Data in the Cloud Similar to our prior year s results, relatively few organizations are storing sensitive data with cloud-based vendors, which is a positive finding given the current limitations of the cloud. Growth in the don t know percentages is troubling, suggesting there are knowledge gaps within IT organizations as to where the organization s crown jewels are stored. Where is your company s sensitive data stored? Large companies ( $1B) Small companies (< $1B) On-site servers 50% 66% 57% 46% 56% Off-site servers 20% 18% 21% 20% 19% Cloud-based vendor 9% 8% 3% 9% 8% Not stored in any centralized location 6% 6% 8% 7% 5% On users computers 1% NA NA 1% 1% Don t know 14% 2% 11% 17% 11% Looking Ahead: Trends to Watch Over time, it is likely that more organizations will begin to shift their storage of data sensitive as well as nonconfidential to the cloud. We already are seeing cloud providers being more responsive in providing assurances that they are handling data properly. Given the greater efficiencies available through cloud storage, more organizations will want to move in this direction, but won t do so without strong assurances from providers regarding. This will increase pressure on these providers to enhance their measures. Data likely is already shifting to the cloud, even if an organization is not officially moving it there. It is easy for users to leverage cloud technologies and for data to be sent there via well-known providers such as Salesforce and Dropbox. Tools can be employed to give companies visibility into cloud technologies that, despite organizational lack of awareness, are already in use. Action Items for IT Leaders Every cloud-based provider the organization is using or considering should be vetted thoroughly regarding their protocols. may want to consider leveraging the Vendor Risk Management Maturity Model from the Shared Assessments Program. 6 6 The Shared Assessments Program ( and Protiviti publish an annual study on the vendor risk management capabilities of organizations. For more information, visit 26 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

28 Getting Ready for a Crisis If your organization experienced a data breach or hacking incident, does it have a formal and documented crisis response plan that would be activated and executed? Yes 56% 56% 66% No 24% 34% 21% Don t know 20% 10% 13% Commentary It is remarkable to see so many organizations that apparently lack a formal and documented crisis response plan. Today s cyber climate virtually guarantees that an organization will experience an attack or data breach at some point. Numerous industry experts point out that the question of a breach happening is when, not if. As noted in the graphic below, the results are far better for top-performing organizations, a strong majority of which have such plans in place. Organizations that have a formal and documented crisis response plan 0% 100% 0% 100% 80% with 47% without 77% with all core information 45% all core information As defined in your organization s documented crisis response plan, who needs to be involved in addressing a data breach or hacking incident? (Multiple responses permitted) Chief Information Officer* 71% 75% 72% Chief Security Officer* 63% 56% 72% General Counsel/Chief Legal Officer 47% 46% 67% Chief Executive Officer 43% 43% 38% Chief Privacy Officer 25% 26% 38% Corporate Communications 40% 41% 63% * These roles were grouped together in previous years of this survey, but listed separately in this year s study. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 27

29 With regard to IT, does your organization periodically perform fire drills to test your ability to execute the organization s incident response plan? Yes 40% 46% No 39% 49% Don t know 21% 5% IF YES: How frequently does your organization performs its fire drills? Monthly 9% 7% Quarterly 38% 30% Semi-annually 30% 27% Annually 23% 36% Commentary While the percentage of organizations that conduct fire drills has not increased, there has been positive growth in the frequency with which organizations perform fire drills: 47 percent conduct such drills on at least a quarterly basis, compared to 37 percent a year ago. When was your organization s incident response plan most recently updated? Within the past year 48% 46% Within the past two years 24% 22% Within the past five years 12% 9% Longer than five years 3% 4% Our plan has not been updated 13% 19% Organizations that have updated their incident response plan within the past year 0% 100% 0% 100% 76% with 37% without 72% with all core information 34% all core information 28 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

30 Looking Ahead: Trends to Watch With regard to, HIPAA and PCI DSS already include recommendations that organizations test their crisis response plans at least annually. It is possible that as new laws and regulations are passed to address growing cyber concerns, they may include requirements for documented crisis response plans along with periodic testing. Action Items for IT Leaders On at least an annual basis, plan and conduct periodic testing and cyber war games, which are critical elements of an IT program. Test the plan via different use cases; otherwise, it is unlikely to be effective. Conduct specific tests on social engineering and share the results with management. Understand who in the IT department or broader organization has responsibility over the lifecycle of a cyber incident, from identifying it to managing technology remediation issues and communicating to management, among numerous other tasks. Establish relationships with federal and local law enforcement agencies to ensure a rapid and effective response to a cyberattack (regulatory authorities are beginning to emphasize this more in their guidance). PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 29

31 Managing Vendors Who Manage Your Data While overall a majority of organizations even those not classified as top performers are adhering to best practices when it comes to overseeing the vendors that are managing their data, there still are a significant number of companies that are failing to do so. If data is being acquired/accessed from one or more third parties, has your organization ensured that it has all proper contracts and policies in place (including breach notification processes)?* 0% 100% 0% 100% 78% with 58% 72% with all core information 59% all core information * Percentage of Yes responses shown. Are your vendors aware of the sensitivity of data being shared, and are they managing and securing that data in a manner consistent with your data classification requirements?* 0% 100% 0% 100% 85% with 63% 77% with all core information 66% all core information * Percentage of Yes responses shown. 30 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

32 On a scale of 1 to 10, where 10 is highly knowledgeable and 1 is not at all knowledgeable, how would you rate your organization s level of knowledge about the data management programs and procedures of its third-party vendors? with 6.5 without 7.8 with all core information 6.5 all core information What is your company s policy on provisioning accounts for external access? Create accounts within an internal active directory 27% 28% 29% Create accounts within an active directory for external users only 17% 20% 11% Never create such accounts and do not permit access 12% 18% 13% Company has custom in-house solution 8% 11% 13% Federate with external parties 4% 3% 4% Federate with third-party providers 2% 3% 1% Do not have such a policy 8% 10% 3% Don t know 22% 7% 26% Commentary As we noted earlier, many organizations are not prepared with a plan to manage their own incidents and cyberattacks, let alone including third-party incidents and attacks in that plan. The same due diligence that organizations should apply to their own incident response plans must also be applied when managing sensitive data outsourced to third parties. This should include demonstrating how they are protecting the data, maintaining a mature incident response plan, testing the plan, and providing strong contractual service-level agreements to report compromises back to the organization. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 31

33 What is your company s policy on granting external access to sensitive data? Unique credentials accessible over a secured VPN 37% 39% 44% Never grant access 16% 19% 13% Grant access on the premises only 15% 18% 12% SSL access over Internet 10% 10% 11% Do not have such a policy 4% 8% 3% Don t know 18% 6% 17% Looking Ahead: Trends to Watch As we noted in our study on the current state of vendor risk management maturity (conducted in partnership with the Shared Assessments Program), there is greater momentum for building stronger vendor risk management programs, as these issues are increasingly becoming part of the agenda for boards of directors, especially as it relates to loss or exposure of sensitive data through cyberattacks and other compromises. Boards are seeking assurances from management that vendor risk is being assessed, managed and monitored appropriately. 7 7 Ibid. 32 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

34 DEMOGRAPHICS More than 700 IT executives and professionals (n = 708) participated in the study. Following are details regarding the respondents and the size of companies represented in the study. 8 Position (Title/Role) Chief Information Officer 5% Chief Technology Officer 4% Chief Information Security Officer 1% Chief Security Officer 1% IT VP/Director 8% IT Audit VP/Director 1% IT Manager 30% IT Audit Manager 1% IT Staff 41% IT Audit Staff 1% Other 7% Industry Government/Education/Not-for-profit Technology Financial Services Manufacturing Healthcare Provider Insurance Retail Communications Energy Life Sciences/Biotechnology Consumer Products Hospitality Utilities Healthcare Payer Real Estate 24% 16% 10% 10% 8% 7% 5% 2% 2% 2% 1% 1% 1% 1% 1% Other 9% 8 All demographic information was provided voluntarily by respondents. Percentages in the tables correspond to those providing this information rather than the total sample of respondents. PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 33

35 Size of Organization (by Gross Annual Revenue) $20 billion or greater 18% $10 billion - $19.99 billion 7% $5 billion - $9.99 billion 7% $1 billion - $4.99 billion 16% $500 million - $ million 11% $100 million - $ million 15% Less than $100 million 26% Type of Organization Public 40% Private 35% Not-for-profit 12% Government 13% Location United States 96% Japan 4% 34 The Battle Continues Working to Bridge the Data Security Chasm PROTIVITI

36 ABOUT PROTIVITI Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000 and 35 percent of Fortune Global 500 companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Named one of the 2015 Fortune 100 Best to Work For, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. About Our IT Consulting Services In today s rapidly evolving technological environment, a trusted adviser one who not only provides relevant insights, but delivers a combination of strategic vision, proven expertise and practical experience can enhance the value of your business with technology. Our global IT Consulting practice has helped CIOs and IT leaders at more than 1,200 companies worldwide design and implement advanced solutions in IT governance,, data management, applications and compliance. By partnering with us, you ensure that your IT organization performs with the same focus and excellence with which you manage day-to-day business operations. We will work with you to address IT and privacy issues and deploy advanced and customized application and data management structures that not only solve problems, but add value to your business. Contacts Kurt Underwood Rocco Grillo Global Leader, IT Consulting Leader, Incident Response & Forensics Services kurt.underwood@protiviti.com rocco.grillo@protiviti.com Scott Laliberte Leader, Vulnerability Assessment & Penetration Testing ryan.rubin@protiviti.co.uk scott.laliberte@protiviti.com Jeff Sanchez Leader, Data Security & Privacy Management jeffrey.sanchez@protiviti.com Michael Walter Leader, Cyber Intelligence Response Center (CIRC) michael.walter@protiviti.com Ryan Rubin Leader, Identity & Access Management Cal Slemp Leader, Security Program & Strategy cal.slemp@protiviti.com PROTIVITI The Battle Continues Working to Bridge the Data Security Chasm 35