A new survey indicates that organizations are not prepared for compliance audits, nor are they confident that employees are adequately protecting data. Numerous reports have reinforced that people are still the root cause of data breaches, even cyber attacks, so this fear is quite warranted.
The Security and Compliance Survey, conducted by Ipswich, shows that the majority of businesses (59%) are not fully prepared to undergo a compliance audit. Though very few state it would be a “complete disaster,” nearly half of the respondents would rather do things like have a root canal or work during holidays rather than undergo a compliance audit. According to the survey, the allocation of IT resources is the most costly part of a compliance audit, though 13% also cite emotional strain and stress related to the process.
Although these worries about undergoing an audit show a wariness as to compliance preparedness, particularly in easily providing compliance logs, the survey also highlighted the growing concern with the “people” problem that leads to data breaches. According to the survey, 75% of respondents lack confidence that colleagues authorized to work with sensitive information are adequately protecting it. It should come at no surprise, then, that security policies was one of the highest ranked (24%) in terms of importance in addressing data security. Other key measures included data loss prevention (34%), tracking and reporting (18%) and data encryption (18%).
As noted in an eWeek interview about the survey, Paul Castiglione of Ipswich noted:
“Security has never been an IT-specific issue. It encompasses technology, processes and people. It’s clear that malicious, and seemingly well-funded, third-party agents will continue to attack to acquire sensitive and private data stewarded by corporations and governmental agencies. Traditional techniques like phishing, stolen credentials and malware will continue to prevail so it’s critical to ensure basic protections are in place against those forms of attack. In the near future, IT will have the capability to stop threats rather than reacting to their consequences."
As Absolute, we also advocate for a people, process and technology approach to data security. A data-led approach is based on three elements: policy (how data and devices can be used), training / education (that is engaging and relevant) and technology to protect the business if and when a data breach occurs. Such technology must be able to prove compliance processes are in place, such as can be achieved with Persistence technology by Absolute.