Data breaches not being disclosed: survey
Data breaches not being disclosed: survey
September 25, 2008: A survey of 300 international public and private sector organisations by Logica has found that that companies are failing to report data security breaches to clients.
Of the IT Directors, CTOs and IT security managers questioned for the survey, 60 per cent of those who have experienced a data breach, did not tell their clients and half failed to tell the police or authorities.
The study conducted in conjunction with the e-media group, surveyed 300 public and private sector organisations over the last two months. The findings revealed that more than half (57 per cent) of those surveyed, have “no idea” or understanding of the impact of a security breach on their business or organisation. A continued lack of engagement with the issue is evident, with just 16 per cent of firms having a “Value at Risk” profile for information assets it owns/controls; with half of respondents believing that security is solely an IT departmental issue.
Tim Best, Director Enterprise Security Solutions at Logica, commented on the findings: “ It is time to take action – it should be mandatory for all organisations to report significant breaches of confidential personal information to the Information Commissioner or their regulatory body. Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied.”
The study also demonstrated a lack of awareness of how to securely manage data and a lack of knowledge of how to prevent a security breach among many organisations. Only 30 per cent educate staff in IT security and information handling procedures on a regular basis, with less than a third employing a specific security incident response team. The survey also revealed that while 63 per cent of those surveyed hold personal data subject to EU data handling regulations, only a quarter comply with ISO27001/2, meaning that companies are not adhering to security procedures when storing personal data.