Do Company Execs Know Sensitive Data When They See It? Many in IT Say No

Data collection has advanced, but tech officials at a quarter of firms in Protiviti survey cite “limited or no understanding” of sensitivity.

By Roy Harris

Today’s companies, clearly very good at collecting data, seem “less savvy when it comes to how to classify and manage it.”

That’s the conclusion of a survey among 100 IT executives and others conducted by global consulting firm Protiviti, which finds that there is “limited or no understanding of the difference between sensitive information and other data” at nearly a quarter of the companies participating in its survey.

The report is titled “The Current State of IT Security and Privacy Policies and Practices." Its topics: how organizations classify and manage the data they accumulate; specifically how they ensure customer privacy when they handle sensitive data, and how they comply with federal and state privacy laws and regulations.

Holding Data Too Long

The survey results were compiled in the 2011 Q4 and 2012 Q1 among CIOs, security officers, IT audit vice presidents, and others from companies in a variety of industry sectors. Nearly 70% were from companies with $1 billion or more in revenue.

Organizations have made significant strides over the past decade integrating enterprise applications and collecting terabytes of valuable customer, supplier and employee data,” Kurt Underwood, Protiviti’s managing director, and global head of IT consulting, said in a press release. “However, our survey shows that many companies are holding onto more data than is prudent and for longer time frames than necessary, which poses significant data security and privacy risks. There are opportunities for executives to significantly reduce legal exposures, while driving sensitive data management improvements and cost savings.”

In the survey, 23% of respondents said senior management appeared to have “limited or no understanding” of the difference between sensitive information and other data, while 26% believed senior managers had an “excellent” understanding of these differences.

Said Cal Slemp, Protiviti managing director, and head of IT security and privacy: “This basic understanding of what constitutes ‘sensitive’ is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle -‑ from collection to destruction. Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks.”

Data Classification Policies

The survey also found that 69% of companies in the study believe they have a clear data classification policy for categorizing information as sensitive, but only 50% have specific plans for classification – “suggesting a possible gap in data management.”

It also showed 86% of respondents having an “acceptable use” policy to control data leakage, with 81% having a record retention and destruction policy, and 75% having a written information security policy and 65% having a data encryption policy.

“Organizations with these kinds of data leakage policies in place considerably reduce their risk of substantial legal fines and reputation damage,” according to Underwood.

Nearly three of every four companies in the survey said they had a crisis response plan in place for data-breach and hacking incidents. But 27% of the executives questioned either didn’t have companies with such a policy, or didn’t know if a policy existed.