Businesses are still failing on the basic requirements for information security such as visibility of their data assets, says security firm Websense. This first-hand experience with UK organisations is supported by recent global research by the Ponemon Institute commissioned by Websense.

More than a third of information security professionals who said their organisations had been hit by a security breach admitted they had no idea what data had been stolen, the study showed.

“This means in many organisations even basic security functions are being missed,” said Neil Thacker, information security and strategy officer for Europe at Websense. “The coming European data protection legislation will require mandatory breach notification, but that will be a challenge for organisations that lack visibility of their data assets,” he told Computer Weekly.

Proper visibility of data assets will be essential when organisations are called upon to report data breaches and assess their impact. Thacker said these organisations are running out of time to ensure they know what is going on in their IT infrastructure and they have a fast and efficient way of assessing the impact of data breaches.

“All businesses in Europe should ensure they have established data discovery and classification processes in place by the time the new legislation is enacted,” he said. Another priority should be assigning ownership and responsibility for all data assets to business leaders in information security by making them accountable for specific data sets.

“Discovery, classification and accountability are the basic requirements for information security, and yet they are still being missed,” said Thacker. In addition to meeting regulatory requirements, he believes greater visibility is important to building better, more collaborative relationships between IT security teams and business leaders.

“Business leaders – including the board of directors – are most interested in what impact any data breaches will have on the business,” explained Thacker. “It is therefore essential for security pros to know exactly what is going on, and to be able to tell the business what the impact is likely to be,” he said.

 

 

Source:  www.computerweekly.com