One in three companies still lacks policies for its information security, data encryption and data classification, according to The Battle Continues – Working to Bridge the Data Security Chasm: Assessing the Results of Protiviti 2015 IT Security and Privacy Survey from global consulting firm Protiviti.

“It’s no stretch to state that the spectrum and sophistication of cyberattacks and the diversification of their origin will continue to increase,” said Cal Slemp, a Protiviti managing director with the firm’s global cybersecurity practice. “Companies appear intent on addressing data security issues, but are these intentions translating into effective policies and actions to secure organizations’ most valuable data? The results are mixed, at best, according to our 2015 survey. It’s increasingly important for organizations to avoid complacency and consistently enhance their infrastructure, data frameworks and response plans to protect, mitigate and manage potential breaches.”

The IT security and privacy survey, which gathered insights from 708 Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT vice presidents and directors and other IT management professionals, assesses security and privacy policies, data governance, data retention and storage, data destruction policies, and third-party vendors and access, among other topics that organizations need to manage and improve. Protiviti’s report also includes recommended actions for IT leaders as well as trends to watch. Key findings from the 2015 survey include:

• “Tone from the top” is a critical differentiator – From strong board engagement in information security to management establishing “best practice” policies, effective security starts with the right tone from the top, which is as important as any policy. Only 28 percent of organizations indicated that there is currently a high level of engagement by the board (compared to 30 percent in the 2014 survey):

• A strong security foundation must include the right policies – Organizations that have all of their “core” information security policies in place – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities.

• Many companies lack critical policies and an understanding of their “crown jewels” – Most have a less-than-excellent understanding of their most sensitive data and information (71 percent) and do not have strong awareness levels concerning potential exposures. Such gaps open up the organization to cyberattacks and significant security issues. Despite these findings, the survey suggests that organizations are now beginning to better understand how to manage and protect sensitive data such as private customer data (80 percent); intellectual property (63 percent); healthcare data (51 percent); and payment card industry information (47 percent).

• There aren’t high levels of confidence in the ability to prevent an internal or external cyberattack – While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they can prevent a targeted cyberattack, either from external parties or insiders. However, this mindset is not necessarily a bad thing – in fact, it may be a healthy one if the perspective drives a focus on improvement.

A complimentary survey report is available for download at: