Study: 62% of security pros don’t know where their sensitive data is

Ask organizations today about the value of data and you’re likely to hear it measured in terms of competitive advantage, customer experience and revenue generation. As Dante Disparte and Daniel Wagner put it in a December 2016 HBR article, data is “becoming a centerpiece of corporate value creation.”

“Today most organizations are data-driven to one degree or another. Data contributes not only to brand equity, but to what constitutes product and service delivery in globally connected and hyper-competitive markets,” the pair wrote.

But the value of data security is still largely defined “in terms of risk, cost, and regulatory compliance,” notes Forrester Research in the executive summary of a new report commissioned by data protection software provider Varonis Systems.

One of the key findings of the Forrester survey of 150 data security professionals in the U.S. and Canada is that while 76% of respondents claim a mature security strategy, the vast majority report facing technical challenges (93%) and organizational challenges (90%) with data security. And, Forrester says, they “are focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data.”

For example, just 31 percent of respondents say they classify corporate data in the cloud based on its sensitivity.

In three key areas, though, employee data fares moderately better than customer data and sensitive structured data. Forty-one percent of survey respondents said they know where their employee data is located, while 38% said they know where their customer data and sensitive structured data is located. Forty-one percent of respondents said they classify employee data based on its sensitivity, compared to 40% for customer data and 37% for sensitive structured data. And forty-five percent of respondents said they audit all use of employee data and analyze it for abuse, compared to 36% for customer data and 39% for sensitive structured data.

Speaking to why the numbers were somewhat higher for employee data, Forrester analyst Heidi Shey told CSO, “With employee data, I think most companies feel like they have a (slightly) better handle on this because of the smaller universe of groups and applications that handle and use this type of information within the company. Typically, HR and Finance handles the bulk of sensitive employee and job applicant data, with pre-defined use cases and purpose for having this data, and regulatory requirements and labor laws that dictate handling and use requirements.” 

“Still, I think many companies may overlook the scope of what constitutes sensitive employee data,” Shey added. “There are the usual sensitive data types that come to mind like personal information, payroll and tax information, social benefits information. Yet if we start to think about employee personal data in broader context and with privacy in mind, more data types apply. Things like annual performance reviews, information generated by computer systems, expense reimbursements (e.g., travel), sickness records, etc. enter the picture. This is where classification becomes critical for a global company to stay on top of employee privacy and labor laws across different jurisdictions where they have employees.”

To learn more about what security pros have to say about the state of data security in their organizations, download the Forrester/Varonis report.