Bedrijfsleven laks met opslag gevoelige data

Het verzamelen van privacygevoelige data is veel bedrijven niet vreemd. Het beoordelen en beveiligen van deze data laat veel te wensen over. Dit oordeelt adviesorganisatie Protiviti op basis van een onderzoek onder IT-bestuurders van multinationals. 

Protiviti vroeg meer dan honderd CIO’s en professionals van multinationals naar hun databeleid. Meer dan 70 procent van deze bedrijven heeft een omzet van meer dan één miljard dollar. Een kwart van de CIO’s bij de onderzochte bedrijven kan niet het verschil duiden tussen privacygevoelige en overige data. Marcel Koers, senior manager bij Protiviti en specialist op het gebied van IT-bveiliging en privacyvraagstukken, stelt dat de resultaten in Nederland vergelijkbaar zijn met de rest van de wereld.

Ruim twee derde van de bedrijven heeft beleid om data te classificeren en onderkent privacygevoelige data. De helft van deze bedrijven voert deze classificering ook daadwerkelijk uit. Koers: ‘Door de groei van online dienstverlening, de ontwikkeling van mobiele platformen en de opkomst van social media is het delen van persoonlijke informatie voor consumenten gewoon geworden. Bedrijven beschikken over meer privacygevoelige data dan voorheen en maken hier actief gebruik van in hun businessmodellen. Dit vraagt om een hoger bewustzijn bij het senior management van deze bedrijven’.

Koers stelt dat dit bewustzijn zich niet alleen moet richten op de beveiliging van data, maar juist ook in het gebruik van privacygevoelige data. ‘Een intensieve band met de consument brengt verantwoordelijkheid met zich mee. Zo is het verzamelen en verwerken van bijzondere persoonsgegevens, zoals godsdienst, ras en gezondheid, bij wet verboden.’

Volgens de Protiviti-manager is er sprake van een nieuwe realiteit in het beveiligen van data; de online ontwikkeling vraagt om verscherpte dijkbewaking. ‘Cybercrime is volwassen, internationaal en deinst nergens voor terug’. Bedrijven moeten investeren in het beveiligen van hun informatie, in het verscherpt uitvoeren van hun huidige beleid, maar ook in het opbouwen van aanvullende competenties zoals de inrichting van een security operations center (SOC). ‘De vraag is niet óf je gehackt wordt, maar wanneer? En als dit gebeurt, dan je moet klaar staan.’

Een aantal resultaten:

‘These organizations are now capturing a wealth of data on a daily basis – at least some of which is considered personally identifiable information. Thus they must understand how to classify, manage and secure that data, not only for the sake of their customers and clients, but also to be in compliance with myriad privacy laws and regulations. ….. The fact that management in close to one out of every four organizations has limited, little or no understanding of what comprises sensitive data and information should be considered troubling, especially given the potential ramifications related to regulatory compliance and reputation damage. In fact, just 26 percent of respondents said management in their organization has an excellent understanding of these areas, a figure that should be far higher’.

‘With regard to data storage and retention, there is evidence in the results that companies are defaulting to keeping the data and information too long – i.e., there is no clear data retention and destruction policy in place, suggesting they “keep everything forever.” Virtually every organization should have a detailed classification system in place to define its data, with varying retention policies and destruction dates depending on classification. Not having such a system creates unnecessary risks with regard to security and regulatory compliance, and also results in higher-than-necessary data retention and data management costs for information that an organization has no business need to keep’.

‘It also is clear that management is not doing nearly enough to communicate to the organization and its employees how to differentiate between sensitive and other data, and how to treat each of these. Most companies appear to have a policy in place to classify data, but are not doing enough to establish clear processes to do so, provide training, or communicate these policies and processes on a regular basis’. 

‘The other notable finding pertains to records retention and destruction policies. While 81 percent of organizations have such policies, which is a positive result, there is still room for improvement considering that one in five organizations apparently have no such policy. As previously stated, managing and protecting sensitive data is critically important, yet it also is vital to avoid a “default” policy of saving everything forever. Such an approach drives huge costs, including but not limited to the costs of acquiring and maintaining otherwise unnecessary storage capacity’. 

‘The results suggest that the movement to the cloud, at least in terms of storing sensitive data, is slower than market watchers are suggesting. But there is movement. The question is whether organizations know and understand the data they are storing off-site or in the cloud, or even if they are classifying what they are storing and where they are storing it. In most cases, a centralized environment – whether that is on-site or off-site – offers better control. Breaking this down further, there generally is less control over off-site servers and vendors than for on-site servers. Thus organizations need to be very careful when it comes to storing their sensitive data anywhere beyond an on-site server. Storage on a server that is physically located on company property must take place with the proper security standards and protocols, but these are easier to manage, monitor and control than at any off-site entity, whether that is in the cloud, at another location or multiple locations. This is not to say that organizations should not do this – rather, the key point is that it must be done carefully and with the proper security standards in place’.

‘When organizations are storing data off-site with another vendor, whether through the cloud or traditional outsourcing, they should ensure that the contracts appropriately deal with how data is stored and where it is stored to avoid any privacy or regulatory issues’.

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *