Who owns data security? Report highlights business confusion amid rising cyber threats
Published 26/01/2016 by Gordon Wilson, Chief Executive Officer, Advanced
More executives state responsibility for data security should reside outside of IT
Many UK businesses are confused about who should manage data security procedures leaving them at risk from escalating cyber-attacks. This is according to a report, ‘The Data Security and Risk Management Review’, sponsored by leading managed service provider Advanced 365.
Cyber criminals are constantly exploiting businesses’ vulnerabilities around storing data in multiple locations as more devices become connected to the internet. This has created a widening knowledge gap between IT professionals and employees as organisations struggle to keep pace with new and evolving threats. As a result, senior executives have become increasingly concerned as to who they should entrust with driving their security strategies.
In the report’s survey of 300 UK IT decision makers, 49% stated the definitive authority for data security should reside outside of CIOs and the IT department. 75% surveyed said data owners should assume responsibility for data which belongs to a business. 71% argued security is a wider issue than just data and 56% believed it should fall under the remit of other departments, such as compliance.
In contrast, 41% felt that IT should keep hold of the reins due to having ‘experience of dealing with security issues’ and 10% were unsure whether security should sit within or outside IT.
Neil Cross, Managing Director of Advanced 365, comments,
“Highly publicised data breaches involving large enterprises have catapulted security to the top of the corporate agenda. While it is reassuring that board members are now taking greater interest this has clearly created a difference of opinion as to who should lead on addressing security issues, which could leave businesses even more exposed.”
Organisations must also review existing controls around storing and accessing data ahead of imminent changes to EU General Data Protection Regulation (GDPR) legislation to avoid significant fines in the event of a breach. Under new EU laws, any organisation which is tasked with managing and securing third-party access to data has a legal obligation to ensure it is secure. Those who fail to do so could face fines of up to 5% of their turnover.
Cross adds, “To reduce the risk of a potentially damaging breach, businesses must define who is responsible for each specific area of security. This includes ensuring robust governance frameworks are in place for managing and safeguarding third-party access to their data to avoid significant fines under imminent GDPR compliance requirements.
“The new legislation will also have major implications for the providers of hosted and cloud services. Businesses must think carefully before choosing a trusted and experienced partner and pay particular attention as to the location of where their data will be stored.
“In response to this threat we have worked with our customers to create a service to help them understand the risks within their business. This is very definitely a product we are increasingly being asked to deliver.
Advanced’s Secure IT Health Check service assists businesses in addressing and managing their security challenges. The health check analyses six key areas in a business including: identity management, security awareness, end-point management, malware threats, configuration and compliance and vulnerability management.
The output from the service is a report and action plan that the board can review and follow to ensure that businesses can harden their defences against what the World Wide Web may throw at them.
To read the Computing report, ‘The Data Security and Risk Management Review 2015’, click here