After the publicity avalanche of data breaches in 2008, you could be forgiven for thinking that public and private sector organisations have already begun to take data protection more seriously. Unfortunately, new research seems to suggest the opposite.
Now, with research-based stories, the canny journalist should always be a little sceptical. Does the surveying organisation in question have an agenda? How representative is the sample size? And what questions were they asked? These are just some of factors that could affect the degree to which we can learn from various studies. But when the source is PricewaterhouseCoopers, and the survey is of over 660 global financial institutions, it's probably worth taking notice of.
The figures, part of PwC's sixth annual Global State of Information Security study, point to a disturbingly lax approach to data security among firms which should know better. Over half said they had "no accurate inventory of where personal data for employees and customers is collected, transmitted or stored".
Given the importance of encryption to a holistic data protection strategy, it was also disappointing to see the figures from this part of the survey. Forty-one per cent said they do not encrypt data stored in databases, 52 percent do not encrypt file shares, 43 percent do not encrypt backup tapes, and 33 percent do not deploy laptop encryption. The latter is especially worrying given the growing likelihood of laptops and other digital devices to go missing from time to time, and the increasingly mobile nature of today's workforce.
But it was the attitude to third party service providers that was probably most disturbing. Fifty-one per cent of respondents said they don't require third party providers to abide by their own privacy policies, while only 45 per cent said they perform due diligence on third party companies which handle the personal data of customers and employees.
Now the risk of data going missing because of mishandling or poor controls by partners and third party suppliers is well-known now; there have been enough high profile incidents to make that clear. What is most worrying is that financial services firms are usually some of the most advanced in terms of their data security policies. Let's hope this picture isn't repeated across the board.
No comments:
Post a Comment