Firms must face third-party security risks

Most organisations are in denial about the security risks of sharing data with partners, says Ernst & Young

Over half of organisations are failing to manage the risks of sharing data with third parties, although many are now investing in securing the capture and storage of sensitive data, according to a new global survey by consultancy Ernst & Young.

The firm's Global Information Security Survey of 1,200 public and private sector organisations in nearly 50 countries found that more than three-quarters cited privacy and data protection as a significant issue; with 52 percent addressing privacy and data protection with formal procedures.

"It's been an issue for years but it has been done in an ad-hoc way through point solutions," explained the firm's UK head of Technology and Security Risk Services, Richard Brown. "But now consumers are being more savvy in that area, and organisations are getting on top of segregation of duties and securing data. "

He added that although many firms are now taking "a good solid risk management approach" to data security, it is becomingly increasingly important to have disaster recovery processes underpinning that. But only half of respondents said they actually tested their plans while only 46 percent said they have communication strategies in place.

Another major finding of the survey was the lack of formal agreements with third-party suppliers for secure data sharing in just over half of firms. Brown argued that this is because contracts are often set up without the input of the CIO, who should enforce compliance with corporate standards over data security.

Donald Massaro, chief executive of secure messaging specialist Sendmail, agreed that firms are now taking data security a lot more seriously, driven by compliance with new legislation and high profile data breaches.

"It has reached a tipping point in the States and the Californian [data breach notification] law has put some teeth on it," he explained. "Also, if you lose intellectual property that is violating Sarbanes Oxley; it's all high visibility stuff which has the attention of [top-level executives] and it's moving over into Europe."