Conclusion 04: Practices
Several new questions posed in our recent survey indicate improvements in such security practices as requiring outsourcers to follow company security guidelines. Many firms have policies to physically protect data, have an IT executive in charge of data security and assigned more IT staff to security. But more than half of them have yet to perform a formal risk assessment.
Only 47% of respondents in February said their IT department has carried out a formal assessment of their security vulnerabilities. That's slightly down from 48% in August.
A resounding 92% of all respondents have policies for physically protecting their data storage systems. Such procedures are in place at 88% of small companies.
The person responsible for data security is an IT executive for 72% of respondents, and 24% of the time it's someone with "security" in their title, such as a chief security officer or a vice president or director of security.
At 59%, many but far from all companies require their third-party outsourcers to comply with their security regulations. That rises to 67% for the large companies surveyed.
Overall, IT executives have increased the percentage of IT staff devoted to security slightly from 3% of employees to 4%. In February, 16% of polled companies said they assigned 11% or more of their IT staff to security, up from 8% earlier.