A recent security study by Deloitte found 85 percent of survey participants reporting numerous information security breaches that compromised the personal information of employees and customers.
The 2007 Deloitte Privacy Study reported that these high instances of privacy breaches occurring throughout the year were often the result of negligent employees and lost equipment. Rena Mears, global and U.S. privacy and data protection leader for Deloitte, said these lapses create a reactionary, ineffective response that’s not hands-on enough.
“Not surprisingly, given the number of reported breaches, organizations continue to respond primarily with the ‘firefighting’-type method that we reported in last year’s privacy survey,” Mears said. “Both privacy and security professionals indicated that incident response continues to be their primary privacy activity, and relatively little time is spent on potentially more proactive activities, such as strategy, gap analysis and training.”
The respondents were divided into two different groups — privacy management and security — then asked a series of questions about activities, function, roles and resource allocation. Key findings of the study were in the areas of employee training, program implementation and resource allocation.
According to the survey, just 7 percent of privacy and security professionals’ time is spent training employees. Yet, survey respondents overwhelmingly stated that more time on this would make privacy breaches scarcer. Also, risk assessment frameworks and training-based programs have a much lower adoption rate than governance-related ones. Finally, both privacy management and security professionals agreed that more than 60 percent of their time should be spent on incident response, strategy development and other proactive activities.
While it’s impossible to flick a switch and stop every breach overnight, the progress since last year’s study shows that the industry is headed in the right direction.
“The results of the survey indicate that organizations have continued to adopt the enterprise privacy function as part of the natural evolutionary process associated with recognizing and treating private data as a core asset,” Mears said.