In order to manage cybersecurity risk effectively, data protection policies must be developed. However, a new research study conducted by risk and business consulting firm Protiviti, suggests that a third of companies have not yet developed data protection policies. When data protection policies have been implemented, many are insufficient and leave the company vulnerable to a cyberattack.

Data protection policies are inadequate or non-existent in many cases

Over 700 information security professionals and executives were polled and asked about their company’s efforts to keep data secure. Questions were asked about data retention, storage and secure disposal, as well as governance, privacy policies and a wide range of cybersecurity controls. It would appear that many firms were not managing cybersecurity risk effectively, leaving them vulnerable.

Information security solutions may have been implemented, but basic controls such as the development and issuing of data protection policies had been neglected. When policies had been written and implemented, many were insufficient and did not cover even a fraction of the elements necessary to keep systems and data secure. Many security holes were allowed to persist.

To manage cybersecurity risk, start at the top

The board must become involved in cybersecurity decisions and should take a greater interest in keeping their organizations secure. Policies must be developed that set rules for the entire organization, and awareness of data and network security must be improved. All members of staff must be made aware of the current threat levels and a culture of security awareness developed. Best practices must be defined and all users monitored to make sure that those practices are being followed.

The study indicates that board level involvement in cybersecurity issues is becoming more common, yet only 28% of survey respondents indicated there was a current high level of board engagement in such issues. What is even more worrying is there has actually been a fall of 2% in high-level engagement year on year. 15% of respondents said board engagement in cybersecurity matters was low, while a third said engagement was at a medium level, better than in previous years.

You must identify the most critical assets to effectively manage cybersecurity risk

In order to protect assets, they must first be identified. This may sound obvious, but many companies are unsure what their critical assets are according to the study. A number of companies had failed to identify the data that cybercriminals were most likely to try to obtain. Appropriate protections were therefore not being put in place to keep the most sensitive data secure.

Confidence in repelling cyberattacks is low

The majority of organizations are not particularly confident that a targeted attack could be repelled, even though cybersecurity protections had been put in place. Companies were believed to be better at protecting their assets and keeping sensitive data secure than in recent years, although considerable efforts still need to be made.

According to the researchers, a lack of confidence is actually good news, as it should spur companies to keep on developing their security protections.