Despite priority placed on cybersecurity, companies still have significant room to improve existing practices

MENLO PARK, Calif., Sept. 30, 2015 /PRNewswire/ -- At a time when cybersecurity breaches are becoming more frequent and significant, organizations are continuing to place a high priority on improving their cybersecurity frameworks. However, despite improvement in many areas, one in three companies still lacks policies for its information security, data encryption and data classification, according to The Battle Continues - Working to Bridge the Data Security Chasm: Assessing the Results of Protiviti 2015 IT Security and Privacy Survey (www.protiviti.com/ITsecuritysurvey) from global consulting firm Protiviti.

http://photos.prnewswire.com/prnvar/20090115/AQTH541LOGO

"It's no stretch to state that the spectrum and sophistication of cyberattacks and the diversification of their origin will continue to increase," said Cal Slemp, a Protiviti managing director with the firm's global cybersecurity practice. "Companies appear intent on addressing data security issues, but are these intentions translating into effective policies and actions to secure organizations' most valuable data? The results are mixed, at best, according to our 2015 survey. It's increasingly important for organizations to avoid complacency and consistently enhance their infrastructure, data frameworks and response plans to protect, mitigate and manage potential breaches."

The IT security and privacy survey, which gathered insights from 708 Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT vice presidents and directors and other IT management professionals, assesses security and privacy policies, data governance, data retention and storage, data destruction policies, and third-party vendors and access, among other topics that organizations need to manage and improve. Protiviti's report also includes recommended actions for IT leaders as well as trends to watch. Key findings from the 2015 survey include:


    --  "Tone from the top" is a critical differentiator - From strong board
        engagement in information security to management establishing "best
        practice" policies, effective security starts with the right tone from
        the top, which is as important as any policy. Only 28 percent of
        organizations indicated that there is currently a high level of
        engagement by the board (compared to 30 percent in the 2014 survey):


    How engaged is your board of directors with information security
     risks relating to your business?

                                               2015        2014
                                               ----        ----

    High engagement and level
     of understanding by the
     board                                      28%        30%
    -------------------------                   ---         ---

    Medium engagement and
     level of understanding
     by the board                               32%        41%
    -----------------------                     ---         ---

    Low engagement and level
     of understanding by the
     board                                      15%        20%
    ------------------------                    ---         ---

    Don't know                                  25%         9%
    ----------                                  ---         ---

    --  A strong security foundation must include the right policies -
        Organizations that have all of their "core" information security
        policies in place - including acceptable use, data encryption and more -
        demonstrate higher levels of confidence and stronger capabilities
        throughout their IT security activities.
    --  Many companies lack critical policies and an understanding of their
        "crown jewels" - Most have a less-than-excellent understanding of their
        most sensitive data and information (71 percent) and do not have strong
        awareness levels concerning potential exposures. Such gaps open up the
        organization to cyberattacks and significant security issues. Despite
        these findings, the survey suggests that organizations are now beginning
        to better understand how to manage and protect sensitive data such as
        private customer data (80 percent); intellectual property (63 percent);
        healthcare data (51 percent); and payment card industry information (47
        percent).
    --  There aren't high levels of confidence in the ability to prevent an
        internal or external cyberattack - While two out of three organizations
        report being more focused on cybersecurity as a result of recent press
        coverage, most lack a high level of confidence that they can prevent a
        targeted cyberattack, either from external parties or insiders. However,
        this mindset is not necessarily a bad thing - in fact, it may be a
        healthy one if the perspective drives a focus on improvement.

About the Survey
The fourth edition of Protiviti's IT Security and Privacy Survey was conducted in the third quarter of 2015. Forty-eight percent of respondents work for organizations with $1 billion or more in revenue and 40 percent of respondents' companies are public. The majority of respondents' companies are located in North America.

Survey Resources Available: Report, Webinar, Infographic, Video and Podcast
A complimentary survey report is available for download at: www.protiviti.com/ITsecuritysurvey.

A 60-minute webinar with two of Protiviti's cybersecurity managing directors, Cal Slemp and Scott Laliberte, discussing implications of the survey results will be held on October 27 at 10:00 a.m. PDT. To register for the complimentary webinar, please visit http://www.protiviti.com/webinars.

An infographic and video summarizing the survey results are also available at www.protiviti.com/ITsecuritysurvey. Additionally, a podcast with Slemp discussing the survey results is available at www.protiviti.com/podcasts.

About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000(®) and 35 percent of Fortune Global 500(®) companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Named to the 2015 Fortune 100 Best Companies to Work For(®) list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

Editor's note: infographic of survey results (in JPEG or PDF) and photo available upon request.

Logo - http://photos.prnewswire.com/prnh/20090115/AQTH541LOGO

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/one-in-three-companies-lacks-policies-for-information-security-data-encryption-and-classification-according-to-protivitis-2015-it-security-and-privacy-survey-300151655.html

SOURCE Protiviti