eDiscovery Daily Blog

One in Three Companies Lacks an Information Security Policy, According to New Study: eDiscovery Trends

According to a new cybersecurity study, despite improvement in several areas, one in three companies still lacks policies for information security, data encryption and data classification.

As discussed in Inside Counsel (Majority of companies lack policies for info security), Protiviti, a global consulting firm which has served over 60 percent of Fortune 1000 and 35 percent of Fortune Global 500 companies has just released its 2015 IT Security and Privacy Survey, which aims to address whether organizations’ efforts are translating into effective policies to secure the “crown jewels” of organizations.

The survey, which gathered insights from 708 Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT VPs and directors and other IT management professionals, assesses security and privacy policies, data governance, data retention and storage, data destruction policies, and third-party vendors and access, among other topics.  48 percent of respondents work for organizations mainly in North America with $1 billion or more in revenue.

Other key findings:

  • Only 28% of respondents indicated that their board of directors had a high engagement and level of understanding with respect to information security risks, down from 30% in 2014 and only slightly higher than “don’t know” respondents at 25%;
  • Only 66% of companies had a written information security policy (WISP) and slightly more than half of responding companies (55%) had a social media policy;
  • Despite considerable recent press coverage of cybersecurity and data breaches, only 23% of respondents indicated significantly more interest and focus on information security, down from 32% last year;
  • For those companies where the respondents did indicate a high engagement with respect to information security risks, they indicated a reasonably high level of confidence (0 on a scale of 1-10) in their organization to monitor, detect and escalate potential security incidents by a well-funded attacker (as opposed to 6.5 for those companies without high board engagement in information security).

This is just a sampling of some of the key findings.  Like last week’s survey that we covered on eDiscovery, this survey report is free!  The full survey is available here with a handy-dandy one-page infographic of the survey results also available here.

So, what do you think?  Do any of these results surprise you?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.