Risk:Value Report - NTT Com Security

1 downloads 154 Views 374KB Size Report
Enlightened respondents understand the importance of policies and procedures. 8. Extensive ..... policy/business or disa
Risk:Value Report Do senior executives understand their role in data security? 2014

Contents Scope of research/methodology

3

Research methodology

3

Aims of the research

4

Summary of key findings

3

Defining the personas

5

Methodology

6

Persona characteristics

7

Different personas, different attitudes and experiences

7

Persona one: The Enlightened

8

Policies and procedures

8

Enlightened respondents understand the importance of policies and procedures

8

Extensive knowledge

10

Enlightened, but not perfect

10

Persona two: The Informed

12

Policies and procedures

12

Almost Enlightened?

12

Limited budget equals limited protection

14

Persona three: The Passive

15

Data security is someone else’s concern

15

Low level of knowledge

15

Persona four: The Complacent Data security is not important to Complacent respondents or to their organisations Conclusion

2 | Risk:Value Report – Do senior executives understand their role in data security? 2014

17 17 19

Scope of research/methodology Research methodology NTT Com Security commissioned independent technology market research specialist Vanson Bourne to undertake the research upon which this report is based. 800 interviews were carried out during autumn 2014 with senior business decision makers outside of the IT department in organisations of at least 500 employees.

217

145

Respondents to this research came from a wide variety of industry sectors and sizes of organisation. As a result, the findings of the research should be considered to be indicative of the market as a whole rather than the concerns and problems of any specific group.

81

Business & professional services

70

Retail

68

Finance Healthcare

65

Transport and distribution

65 59

IT

40

Utilities

29

Wholesale Chemicals/pharmaceuticals

27

Construction

26 24

Telecomms

Other

Figure D1:

Figure D2:

1001-3000 employees

3001-5000 employees

More than 5000 employees

How many employees work in your organisation? total sample (800 respondents)

85

Government

Oil & gas

501-1000 employees

89

Manufacturing

226

212

7 65

In which sector would your organisation be categorised? total sample (800 respondents)

Interviews were performed in eight countries: 

US - 100 interviews



UK - 100 interviews



Germany - 100 interviews



France - 100 interviews



Sweden - 100 interviews



Norway - 100 interviews



Hong Kong - 100 interviews



Australia - 100 interviews

Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate. Unless otherwise indicated, results discussed are based on the persona sample groups within each section.

3 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Aims of the research The actions and opinions of senior executives in a non-IT role can have an impact upon how their organisations use and secure the data that they collect and store. This is despite – or in some cases because of – the fact that these senior executives may not have first-hand technical knowledge. The study looks at the status of data security in respondents’ organisations. It also examines the relationship that senior executives have with their organisation’s data, as well as their knowledge about data security procedures and capabilities. Respondents’ own personal attitudes to data security are also examined. How important do senior executives perceive their organisation’s data to be to the success of the business – i.e. what is the value of this data? Combining this data with that of the proportion of IT budget spent on data security, respondents are classified into one of four persona groups that shows the maturity of their attitude towards data security. How the data varies between these four persona groups, and what this variation demonstrates about organisations’ data security, is also examined. What happens if an organisation suffers a data breach? Are any of the personas more likely to suffer as the result of a data breach?

4 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Summary of key findings Enlightened decision makers are likely to work in organisations that protect their data 

They are the most likely to have completely secured all of their data (42%)



They are also likely to have completely secured all of their critical data (62%)



But only a third (33%) value work related data more than their own personal data

Complacent respondents do not regard data as being important to their organisation 

Respondents in this group are unlikely to work in an organisation that has a recovery plan in the instance of a security breach; just 24% report that their organisation has this



This shows that where business decision makers do not recognise the importance of data, they are unlikely to be guided by an official procedure if a breach occurs

Informed decision makers are implementing data policies 

29% report that they are in the process of implementing a formal data security policy – making this group the most likely to say this



When it comes to disaster recovery plans, this second group is also the most likely to be in the process of implementing a plan (26%)

Passive respondents value data but do not protect it 

These respondents understand the importance of data but don’t know how much of their organisation’s IT budget is spent on data security



Almost all of the respondents in this persona group (93%) do not know the details of what the financial impact would be of a data security breach in their organisation

5 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Defining the personas Methodology The research examines how senior executives value their organisation’s data, and compares this to how committed their organisation is to protecting that data. In order to compare the differences of opinions and actions, the respondents are split into groups. From this, it can be understood what level of risk each group is likely to pose to their organisation’s data security, and why this risk exists. Data is combined from questions that measure two sets of data: 1) All respondents report how important each of six different types of data are to the success of their business. These data types are: consumer customer data, business customer data, intellectual property data, research and development data, business performance data, and employee data. If respondents report that at least five of these types of data are important to their organisation’s success, they are classified as recognising the value of their data.

Customer data (business customer)

It is important to note that this first set of data measures respondents’ opinions about how data is useful to their organisation. This means that the responses here are specifically the views of the respondents. 2) All respondents also report how much of their organisation’s IT budget is spent on data security. Respondents that report 10% or more of their IT budget is spent on data security are classified as working for organisations that understand the importance of their data. This second set of data measures the extent to which respondents’ organisations are investing to protect their data. However, where respondents’ knowledge is lacking in this question, it also provides a further measure of the respondents’ views and attitudes.

2% or less 2-4%

3% 7%

4-6%

91%

6-8%

12% 11%

90%

Employee information

8-10% Customer data (consumer customer)

89%

Business performance data

88%

Intellectual property

86%

10-15% 15-20% More than 20% Don't know

R&D data

80% Figure 2:

Figure 1:

Combined total of those who rate each type of data as 'quite important' and 'vitally important’, total sample (800 respondents)

16% 15% 11% 10% 16%

”What percentage of your organisation's IT budget do you estimate is spent on data/information security?”, total sample (800 respondents)

6 | Risk:Value Report – Do senior executives understand their role in data security? 2014

The resulting four persona groups are split as follows:

282

273

Persona three: The Passive Similar to the first two persona groups, these respondents understand the value that data has to their organisation but are unaware of the proportion of the IT budget that their organisation commits to data security. This persona group therefore is not aware of the details of how important data is regarded by their organisation.

145

Persona four: The Complacent

100

The Enlightened

Figure 3:

The Informed

The Passive

The Complacent

Number of respondents in each persona group, total sample (800 respondents)

Persona characteristics Persona one: The Enlightened These respondents understand the value that data has to their organisation. They classify at least five, if not all six, types of data as important to the success of their business. They also work in organisations that commit at least 10% of their IT budget to data security, which shows that these organisations also recognise that data security is an important aspect of their business.

Persona two: The Informed These respondents also understand the value that data has to their organisation. As with the Enlightened respondents, they classify at least five, if not all six, types of data as important to the success of their business. However, the organisations that Informed respondents work in commit no more than 10% of their IT budget to data security, and usually less. This shows that these senior executives are likely to understand the value of data, but that their organisations are not prepared to commit significant resources to supporting data security.

In contrast to the other three persona groups, these respondents do not appreciate the importance that much of their data has to their organisation. They are also usually either unaware of the amount of IT budget that their organisation commits to data security, or are aware that their organisation only commits a small amount of their IT budget to it.

Different personas, different attitudes and experiences These four persona definitions only give an indication of the profile of each group. But by looking at these groups in more detail, the data will reveal where there are consistent behaviours of respondents and organisations, and the likely outcomes to such behaviour. Does respondent indifference to data imply poor data security? Does lack of budget limit organisations’ abilities to recover from a data security breach? How far is respondents’ knowledge about data security (or lack of knowledge) reflected in the knowledge of other employees within their organisation? How secure is the data in their organisation? Looking at each persona group in turn, the research looks at their organisations’ data security abilities and the respondents’ own personal views and actions of how they treat and regard data. The research also shows what the implications are of this to the data that is held by these organisations.

7 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Persona one: The Enlightened Policies and procedures This group is likely to work in organisations that have a data security policy (71%) and that have a recovery plan in the event of data loss or a security breach (62%). When taking into account the fact that around one in six are in the process of implementing a security policy (17%) or recovery plan (18%), this means that in the near future, almost everyone in this group will work in an organisation that has some kind of formal procedure for protecting the organisation.

We are covered for both data loss and a data security breach

We are covered for data loss only We have a formal security policy

We are in the process of implementing a formal security policy

We are covered for a data security breach only

17%

Figure 5:

Figure 4:

19%

71%

We have a recovery plan

We are in the process of implementing a recovery plan

61%

62%

18%

“Do you have a formal data security policy/business or disaster recovery plan in the event of a security breach or of non-compliance of data security?”

Enlightened respondents are also most likely to work in organisations that are insured for data breaches and data loss (61%). Almost nine out of ten (89%) work in organisations that are insured for either data loss and security breaches.

9%

“Does your company insurance cover the financial impact of data loss or of a data security breach?”

Enlightened respondents understand the importance of policies and procedures It is not only the organisations of these respondents that are in a strong position when it comes to data security. The respondents themselves also show that they are likely to respect the importance that data has in their organisation. This group is the most likely of all the persona groups to regard data security as being a business enabler (33%). They are also the most likely to regard data security as being vital to their organisation (56%).

8 | Risk:Value Report – Do senior executives understand their role in data security? 2014

50%

Vital to our organisation

A business enabler

Total Figure 6:

56%

24%

10.1% 33%

8.3%

Enlightened

“Which of the following words and phrases do you associate with data security?”, comparing Enlightened respondents with all respondents (800 respondents)

This group is also the most likely to search and buy the security software they think is best to protect their own personal data on their own personal devices (59%).

44%

I research and buy the security software I think is best

I do not take any specific actions to protect my personal data/device

Total Figure 7:

This persona group’s understanding of how important data is to their organisation is shown in their understanding of the impact of a security breach.

59%

9%

Total

Enlightened

Average estimated drop in revenue Figure 8:

“What impact would you estimate that a data security breach of your organisation's data might have in terms of revenue?”, comparing Enlightened respondents with all respondents (800 respondents)

Enlightened respondents report the highest average potential revenue loss resulting from a data breach (10.1%) out of all the groups. This shows why they are more likely to report that their organisations have a data security policy and protect all of their critical data: they are fully aware of the impact that a data breach can have upon revenue.

5%

Enlightened

“Thinking about how you access the internet and protect your own personal data while using your own devices, which of the following statements apply to you?”, comparing Enlightened respondents with all respondents (800 respondents)

This shows that these respondents are likely to understand the importance of data security at home as well as at work. Sensible behaviour when it comes to accessing data at home can reflect similar behaviour and attitudes when it comes to accessing data at work.

9 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Extensive knowledge

Enlightened, but not perfect

Enlightened respondents are likely to understand why their organisation has a data security policy or recovery plan. This understanding is not just a case of blind trust: it is based upon genuine knowledge of how their organisation’s data security is organised and maintained.

However, even Enlightened respondents have some areas of weakness. These respondents are the most likely persona group to say that they value work-related data more than their personal data (33%).

They are likely to have good general knowledge regarding their organisation’s processes for data security. Very few of these respondents report that they do not know the details of various aspects about their organisation’s data security.

Do not know if organisation has a recovery plan

33%

7%

Do not know how many employees are aware of and understand data security policy

4%

Do not know if organisation has formal data security policy

3%

Do not know how much of my organisation's critical data is secure

2%

Figure 9:

16%

51%

I value my personal data more than work-related data I value personal data and work-related data equally I value work-related data more than my personal data

Proportion that is unaware of various details regarding the organisation’s data security abilities

Just 7% are unaware of whether their organisation has a recovery plan, and even fewer are not aware of whether their organisation has a formal data security policy (3%) or how much of their organisation’s critical data is completely secure (2%). These respondents are likely to have this knowledge despite the fact that they are not in a technical role.

Figure 10:

“Thinking about the data you access at work and your personal data that is stored on your home desktop/laptop PC, which do you value more greatly?”

However, this figure is still significantly less than half. This shows that even though these respondents hold their work-related data in high regard, a significant number still instinctively value their personal data more, or at least value personal data equally to work-related data.

In addition, only 4% do not know how many employees are aware of and understand the data security policy, of those that have such a policy. Senior executives often will be responsible for cascading knowledge and best practice to other employees, and the fact that almost all are aware of the extent of their employees’ knowledge on this issue shows that they understand how important this is to their organisation.

10 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Enlightened respondents are the most likely to say that all of their organisation’s data is secure. They are also the most likely group to say that their organisation’s critical data is secure (62% compared to the total average of 44%).

All of my organisation's data is completely secure

All of my organisation's intellectual property data is completely secure

42% 44%

62% 33%

50%

All of my organisation's employee information data is completely secure

36%

All of my organisation's consumer customer data is completely secure

37%

All of my organisation's business customer data is completely secure

38%

All of my organisation's business performance data is completely secure

All of my organisation's R&D data is completely secure

Total Figure 11:

When it comes to the specific types of data that organisations store (customer data, intellectual property, employee information), no more than half of respondents in this persona group report that their organisation has completely protected any individual one of these.

29%

All of my organisation's critical data is completely secure

Similarly, only 62% say that their organisation has completely protected all of their critical data. While this is a majority, it still leaves over a third of these respondents in an organisation that is struggling to protect even the most important data at a minimum.

48%

Enlightened respondents are likely to have the correct attitude towards data, and are also likely to be provided with the tools to be able to protect their organisation’s data. However, there are still significant numbers of Enlightened respondents who work in organisations that are not completely protecting their data. Even though these organisations are likely to be well placed to deal with any problems that result from this, it should not prevent improvements in data security being made where at all possible.

45%

49% 31%

44% 28%

40%

Enlightened

Percentage that report that their organisation has completely protected the different types of data that they store, comparing Enlightened respondents with all respondents (800 respondents)

However, it is still only 42% of the Enlightened respondents that report that their data is completely secure. This means that over half of Enlightened respondents are not confident about their organisation’s ability to protect at least some of their data. This is despite the fact that most do have a formal security policy.

11 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Persona two: The Informed Policies and procedures

Almost Enlightened?

Informed respondents differ from Enlightened respondents primarily due to the difference in IT budget of their organisations that is assigned to data security. Informed respondents work in organisations that assign no more than 10% of their IT budget to data security, whereas Enlightened respondents assign at least 10% of their IT budget to this, if not more. But does this difference in budget impact the ability of the organisations to protect their data?

The Informed respondents are likely to have good general knowledge regarding their organisation’s processes for data security. Few of these respondents report that they do not know the details of various aspects about their organisation’s data security. This is similar to the number of Enlightened respondents that report this.

Informed respondents are likely to work in organisations with a formal data security policy (55%) or a recovery plan (47%). Informed respondents are therefore almost as likely to work in organisations with a policy or plan as they are to not. This means that a significant number of these organisations should improve their basic data policies if they are to secure their data.

We have a formal security policy

We are in the process of implementing a formal security policy

55%

We are in the process of implementing a recovery plan Figure 12:

47%

26%

“Do you have a formal data security policy/business or disaster recovery plan in the event of a security breach or of non-compliance of data security?”

4%

Do not know how many employees are aware of and understand data security policy Do not know if organisation has formal data security policy

Do not know how much of my organisation's critical data is secure

29%

We have a recovery plan

Do not know if organisation has a recovery plan

Figure 13:

3%

2%

3%

Proportion that is unaware of various details regarding the organisation’s data security abilities

Only a few percent in each case report that they do not know the details of how their organisation’s data security policy functions and how effective it is. This shows that even though they are less likely to work in organisations with formal data policies, Informed respondents are still very likely to be aware of how data security functions within their organisation.

Do the attitudes of Informed respondents also differ significantly to that of Enlightened respondents?

12 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Informed respondents are only a little more likely than the Enlightened respondents to say that they value their personal data more than work-related data (19%). However, they are still significantly less likely to report this than are the Complacent respondents.

33%

19%

16%

Enlightened Figure 14:

Informed

17%

Passive

I research and buy the security software I think is best

I do not take any specific actions to protect my personal data/device

Figure 15:

Complacent

Percentage of respondents that value their personal data more than work-related data, split by persona group (800 respondents)

Informed respondents are also less likely than Enlightened respondents to search and buy the security software that they think is best to protect their own personal data on their own personal devices. However, it is still more than four out of ten that do this (44%), and it is only a few percent that do not take any actions at all to protect their own devices. This shows that Informed respondents are likely to have a good level of general knowledge when it comes to data security, and that this even extends to how they treat their own personal data.

44%

4%

“Thinking about how you access the internet and protect your own personal data while using your own devices, which of the following statements apply to you?

Informed respondents are slightly less likely to see data security as a business enabler (22%) than Enlightened respondents are.

Vital to our organisation

A business enabler

Figure 16:

54%

22%

“Which of the following words and phrases do you associate with data security?”

However, Informed respondents are almost as likely as Enlightened respondents to see data security as vital to their organisation (54%, compared to 56%). The main difference between Enlightened and Informed respondents lies in their organisation’s data security abilities, rather than in the attitudes to data security of the respondents themselves.

13 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Limited budget equals limited protection The ability of an organisation to protect their data depends, at least to some extent, upon the budget that they are able to assign to data security. Enlightened respondents’ organisations are more likely to have already adopted a security policy or recovery plan than organisations of Informed respondents. However, Informed respondents are more likely to report that their organisation is in the process of adopting a security policy (29%) or adopting a recovery plan (26%).

29%

Recovery plan

26%

55%

Informed respondents understand the importance of data similarly to Enlightened respondents. In spite of this, the relatively lower budget has had an impact upon the number of organisations to have already adopted security policies and recovery plans in Informed respondents’ organisations. Even though a significant number of respondents do report that their organisation is in the process of adopting these, this slower rate of policy adoption can make these organisations more vulnerable to a data breach than the organisations of Enlightened respondents.

84%

Informed

Formal security policy

Similarly, Informed respondents are almost equally likely to have either adopted a recovery plan or to be in the process of doing so (73%) compared to Enlightened respondents (80%).

71%

73%

88%

Enlightened

Formal security policy 17%

47%

Recovery plan

18%

62%

80%

Yes, we are in the process of implementing this Yes, we have this Figure 17:

“Do you have a formal data security policy/business or disaster recovery plan in the event of a security breach or of non-compliance of data security?”, showing comparison of Informed and Enlightened personas

Overall, the organisations of Informed respondents are almost equally likely to have either adopted a security policy or to be in the process of doing so (84%) compared to Enlightened respondents (88%). 14 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Persona three: The Passive Data security is someone else’s concern Passive respondents are similar to respondents in the first two groups in that they understand the importance of data to their organisation. However, a key difference is that Passive respondents are unaware of the proportion of their IT budget that is spent on data security. This general lack of knowledge follows a similar pattern through their other responses, showing that they are likely to be relying upon the knowledge of others when it comes to their organisation’s data security. All respondents are not in an IT role and yet, as senior decision makers, will have access to important data. By relying upon others to action and enforce data security, it can place important data at risk if the security is inadequate. Passive respondents are most likely to say that they do not know if their organisation has a formal data security policy (34%) or a recovery plan (52%).

42% 59% 3% 3% 1%

6% 52%

34%

Formal security policy

Recovery plan

Don't know No/not yet Yes, we are in the process of implementing this Yes, we have this Figure 18:

“Do you have a formal data security policy/business or disaster recovery plan in the event of a security breach or of non-compliance of data security?”

However, this group is the least likely to say that their organisation does not have a security policy (7%) or recovery plan (6%). This means that they are almost equally as likely as the Informed respondents are to report that their organisation has a formal data policy (59%) or a recovery plan (42%). Therefore, despite the relatively low level of knowledge these respondents have, it does not necessarily mean that their organisations do not have a policy or recovery plan in place. But does this lack of knowledge matter?

Low level of knowledge Passive respondents are consistently the most likely to display low knowledge regarding their organisation’s data security policies.

Do not know how spend on data security is split between different types of data/information

93%

Do not know what proportion of lost revenue would come from each type of data/information in the case of a data breach

82%

Do not know what is covered by organisation's insurance for data or security breach

79%

Do not know if I am kept up to date by our IT security team about data attacks and potential threats to data security

32%

Do not know how much of my organisation's critical data is secure

30%

Figure 19:

Proportion that is unaware of various details regarding their organisation’s data security abilities

15 | Risk:Value Report – Do senior executives understand their role in data security? 2014

30% do not know if all of their organisation’s critical data is completely secure. A similar number (32%) do not know if they are kept fully up to date by their IT security team. This should be extremely concerning to the organisations of these respondents, as it indicates that there are a significant number of senior executives who are unaware of whether their IT security team is relying upon them to take action or make decisions on issues of data security. Organisations have valuable data that needs to be protected, but key decisions can rely on the input of senior executives in non-IT roles. Almost all of these respondents (93%) also do not know how the security budget is split between different types of data. This shows that these respondents are unlikely to know which types of data that they should be prioritising when it comes to protection, even if as previously stated, they are aware that certain data types are important to the success of their organisation. Furthermore, Passive respondents are also unlikely to know the impact of a data breach or if their organisation is able to minimise the damage of such a breach. Eight in ten Passive respondents (82%) do not know what proportions of lost revenue would come from the different types of data that their organisation stores. Of those who report that their organisation is insured against data breaches or data loss, 79% do not know the detail of exactly what is covered by their organisation’s insurance. This shows that senior executives may not have the requisite level of knowledge to take the correct actions in the case of data loss or a security breach. This would be the case even where it is the Passive respondents themselves being responsible for losing the data.

Passive respondents also report the lowest estimated revenue loss average of all the groups in the instance of a data breach (5.9%).

8.3% 5.9%

Total

Passive

Average estimated drop in revenue Figure 20:

“What impact would you estimate that a data security breach of your organisation's data might have in terms of revenue?”, comparing Passive respondents with all respondents (800 respondents)

This shows the impact of low levels of knowledge among senior executives. Passive respondents estimate, on average, a lower revenue loss compared to the Enlightened respondents (who estimate the loss to be as high as 10%). Given the high level of knowledge that Enlightened respondents demonstrate about their organisation’s data security, it is likely that the 5.9% average reported by Passive respondents is an underestimate of the reality. Despite this, even 5.9% is still a huge amount of revenue for an organisation to lose in a single security incident. This relative underestimation is despite the fact that these respondents do understand how important data is to their organisation. This demonstrates that understanding the importance that data has to the business is not enough, unless this understanding is supported by good awareness of how the organisation protects this data. Lack of knowledge, whether it be concerning the existence of policies or the impact of data loss, can be a security risk where senior executives are required to make far-reaching decisions and enforce procedures involving data. And the Passive respondents are the persona group most likely to be a security risk of this kind.

16 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Persona four: The Complacent Data security is not important to Complacent respondents or to their organisations

report that their organisation does have a plan (with the remaining 38% either currently designing a recovery plan or else not being aware of whether their organisation has a recovery plan).

Complacent respondents reveal contrasting views to respondents from all the other groups. Primarily, they are less likely to regard data as being important to their organisation. As a result, their opinions and knowledge of their organisation’s data security procedures are more varied than that of the other persona groups. The organisations that they work in are also less likely to have procedures in place to protect their data.

We have a formal security policy

The low opinion that Complacent respondents are likely to hold about their organisation’s data can be seen in the fact that just 8% regard data security as a business enabler, and only 33% regard data security as vital to their organisation.

We have a recovery plan

36%

We do not have a formal security policy

35%

24%

We do not have a recovery plan

Vital to our organisation

33%

We have insurance cover for both data loss and security breach We do not have insurance cover at all for data loss or a security breach

A business enabler

Figure 21:

8%

Figure 22:

38%

28%

38%

“Do you have a formal data security policy/business or disaster recovery plan in the event of a security breach or of non-compliance of data security/insurance cover for the financial impact of data loss or a security breach?”

“Which of the following words and phrases do you associate with data security?”

This shows how only a few Complacent respondents value their data, and how few regard their organisations’ data as being worth protecting. They are the only persona group where a similar number of respondents report that their organisation does not have a security policy at all (35%) as do have a security policy (36%). Furthermore, 38% report that their organisation does not have a recovery plan, and only 24%

Similarly, Complacent respondents are the most likely to report that their organisation does not have any insurance at all to cover either data breach or data loss (38%). Only 28% report that their organisation is covered for both data breach and data loss. A further 34% report that their organisation is only covered for data breach or data loss, but not both. This shows that the attitude of these respondents – that most data is not vital to their organisation’s success – is likely to be a reflection of their organisation’s stance towards data security.

17 | Risk:Value Report – Do senior executives understand their role in data security? 2014

As a result, very few of these respondents report that their organisation’s data is completely secure. Only 12% report that all of their organisation’s data is completely secured, and this only rises to 23% when it comes to the organisation’s critical data. The organisations of Complacent respondents are the least likely to be completely protecting their critical data.

Complacent respondents are also the persona group that are the most likely to say that they value their own personal data more than workrelated data (33%).

18% 33% All of my organisation's data is completely secure

23%

All of my organisation's consumer customer data is completely secure

21%

All of my organisation's business customer data is completely secure

14%

All of my organisation's employee information data is completely secure

14%

All of my organisation's business performance data is completely secure

Figure 23:

I value work-related data more than my personal data

49%

Figure 24:

“Thinking about the data you access at work and your personal data that is stored on your home desktop/laptop PC, which do you value more greatly?”

19%

All of my organisation's intellectual property data is completely secure

All of my organisation's R&D data is completely secure

I value personal data and work-related data equally

12%

All of my organisation's critical data is completely secure

I value my personal data more than workrelated data

13%

7%

Percentage that report that their organisation has completely protected the different types of data that they store

This reflects how the data of these respondents’ organisations is not regarded with the respect that it should be, and that the importance of the data is not understood. Even though Complacent respondents are generally more likely to know the details of their organisations’ data security procedures than Passive respondents, the fact that they are less likely to regard work data as important to their organisation means that this group is likely to be a data security risk. In addition, if an organisation is not able to protect, at the very least, its critical information, then this also poses a significant security risk. Complacent respondents therefore are likely to work in organisations where data is at risk in a number of different ways, whether it be through their inability to secure their data or through the lack of knowledge of their senior executives.

Most worryingly, as far as the customers of these organisations are concerned, only around one in five respondents say that the data for all of their customers (whether they be business or consumer customers) is completely secured. A security breach in these organisations could result in extremely damaging results for the customers of these organisations, as well as the organisations themselves.

18 | Risk:Value Report – Do senior executives understand their role in data security? 2014

Conclusion Enlightened respondents are the strongest performing of the four persona groups, both in terms of their personal attitudes and the data security abilities of their organisations. However, only a minority of respondents are classified in the Enlightened category. This is because it is just this minority of respondents who understand the important role that data plays in their organisation, and understand that this role makes their organisation’s data worth protecting. This understanding is complemented by the actions of these respondents’ organisations, which are committing a significant amount of the IT budget to data security. The weakest performing of the groups are the Complacent respondents. Even though this group only represents around one in six of those that were interviewed, their responses show that this group has particularly poor regard for their organisation’s data. In many cases they reveal severe weaknesses in their organisations’ abilities in protecting their data. The fact that there is only a relatively small proportion of respondents classified in this group demonstrates that in most organisations, data is regarded as being important to the success of the business. This emphasises the extent to which the organisations of Complacent respondents are lagging behind most other organisations when it comes to their data security. Enlightened respondents are likely to work in organisations that have data security policies, and that protect all of their data. But even in this group, there are a minority of respondents who report a weakness within their organisation, whether it is with a lack of data policies, recovery plans, or data protection. Given their recognition of the importance of data, these respondents are best placed to understand the need to improve data security within their organisation, and to have the budget to support improvements. And these Enlightened respondents should be encouraged to push for these improvements. But responses from the other three persona groups show that their organisations are in a significantly weaker position. Informed respondents may share the attitudes of the Enlightened respondents regarding data, but they are working in organisations that commit a lower proportion of IT budget to data security.

And this lower budget means that organisations can be slow to adopt data policies or recovery plans, delaying their ability to protect all of their data as a result. These Informed respondents should be encouraged and assisted in lobbying for an increased data security budget. Passive respondents may understand the importance of data, but their knowledge regarding the detail of how this functions within their organisation is severely lacking. Decision makers should be aware of data policies in order to take the correct actions and cascade the correct information to other employees. If this does not happen, then any data policies that do exist can have minimal influence upon how secure the data is. Passive respondents may understand the big picture, but they also need to understand the importance of being aware of the details of data security. By knowing these details they will be able to improve their organisation’s data security abilities and improve procedures. Complacent respondents are less likely to see data as important to the success of their organisation. They are also more likely than the other persona groups to see their own personal data as more important than their organisation’s data. This group is therefore significantly less engaged with issues regarding work-related data, and so is less likely to understand the importance of data security policies. And that is assuming that their organisation has a data policy at all. As a result, if a data breach does occur in these respondents’ organisations, they are unlikely to be well placed to minimise the damage of such a breach. Complacent respondents need to understand the true value that data holds in their organisation. Once this has been achieved, they will understand more clearly why it needs to be protected, for their customers’ sakes, if not for their own. Enlightened respondents are the ideal model for business decision makers. These respondents understand and enforce the data security policies and procedures of their organisation. Organisations need to not only encourage their non-IT senior business decision makers to follow this ideal, but they also need to provide a sufficient budget, the right tools and policies that will make following this ideal as easy as possible for their employees.

19 | Risk:Value Report – Do senior executives understand their role in data security? 2014

About NTT Com Security: NTT Com Security (formerly Integralis) is a global information security and risk management organisation, which delivers a portfolio of managed security, business infrastructure, consulting and technology integration services through its WideAngle brand. NTT Com Security helps organisations lower their IT costs and increase the depth of IT security protection, risk management, compliance and service availability. NTT Com Security AG, is headquartered in Ismaning, Germany and part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. For more information, visit http://www.nttcomsecurity.com About Vanson Bourne: Vanson Bourne is an independent specialist in market research for the technology sector. Our reputation for robust and credible research-based analysis is founded upon rigorous research principles and our ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com

20 | Risk:Value Report – Do senior executives understand their role in data security? 2014