BLOOMFIELD, CT: One reason for data breaches is that IT business executives don’t communicate, according to a study released this week.
The findings are derived from an extensive survey of 800 non-IT senior business decision-makers in Australia, France, Germany, Hong Kong, Norway, Sweden, the UK, and the US, taken in September. Global information security and risk management company NTT Com Security commissioned market research company Vanson Bourne to conduct the research.
The study found that only 24% of non-IT execs are kept up to date by the IT security team about data attacks and potential threats. Further, 16% rely upon their own judgment of what "safe behavior" is when using or accessing work-related data, but 23% say data security is a joint responsibility between them and the IT team.
In addition, 26% of business execs are unaware of how their organization’s spending on data security is split among the types of data and information it stores, such as the proportion that is spent on IP security and what is spent on employee data security, the study found.
"IT execs and business execs speak a different language because they have very different objectives," said Heather Antoinetti, marketing director at NTT Com Security. "IT execs are laser focused on securing the organization and protecting it from security breaches and attacks; and the business execs are focused on shareholder value and revenue, and customer loyalty."
The study also found an "alarming" disconnect between business policies and behavior, Antoinetti added. For instance, the surveyed executives said that only 10% to 12% of their IT budget is spent on data security, even though 65% of respondents also said data security is vital to their organization and characterized consumer customer data as the most important.
A need for education about data security among business leaders was another takeaway from the report. For example, 72% of surveyed execs believed that if they suffered a data-security breach, there would be minimal long-term damage to their company’s reputation; 54% said their reputation would recover from a data breach in less than three months; and, overall, the average time execs said it would take for their brand or reputation to recover from a security breach is five months.
"I was surprised to hear the fact that so many execs say that the average time to recover from a breach is only five months," said Antoinetti. "If you look historically, from a financial perspective, at some of the higher profile breaches that have happened over time, you do see costs that come up over a longer period of time than five months and you see share value decline."
To contend with these issues, Antoinetti recommended that companies should practice "good security hygiene" and carry out proactive assessments to understand their security level.
"It is important that businesses do all the things we read about that are important to do, and have the right technologies in place," she said.
But even if companies are very security conscience, they should continue to be cognizant of the possibility they could be breached anyway.
"Companies should be prepared with data breach response and incidence response plans to quickly identify, contain, and remediate a breach," Antoinetti added. "That is just as important as the prevention aspect."