Company bosses underestimating data loss risks

Chief executives have a disconnected view of their organisation's security priorities, according to a report from the Ponemon Institute.

The Business Case for Data Protection report reveals a disparity between the perspectives and expectations of chief executives and other C-level employees concerning data protection.

"For a long time we've known that there's been something of a disconnect between the C-suite and the front lines of security and privacy," wrote Larry Ponemon, founder of the Ponemon Institute, in a blog post.

"Call it an educated gut sense gained from reading between the lines of our many privacy and security studies, and reading between the lines on the faces of our friends and colleagues."

Typically, there seems to be a lack of communication and prioritisation. For instance, while every chief executive surveyed said that reducing security flaws within business-critical applications was 'important' or 'very important', only two thirds of C-level privacy and security executives agreed.

A similar pattern emerged when asked about identifying and responding to a data breach, and protecting confidential information shared with vendors, business partners and other third parties.

The research also revealed that bosses disagree about who is responsible for data protection.

Few believe they would suffer professional repercussions from such a breach, despite the fact that most think they will suffer a data breach in the next year.

Just over half of large businesses reported attacks on their IT infrastructure occurring on a daily or hourly basis, according to the study, while 48 per cent of bosses believe that their organisation is rarely attacked.

However, around two thirds of all executives expect the company to suffer a data breach in the next 12 months.

Should a breach occur, there seems to be just as much confusion over who is responsible for data protection.

Just over half of chief executives pointed the finger at the chief information officer, while only a quarter of other C-level executives felt the same way.

Furthermore, regardless of where the blame ends up, only 15 per cent of executives surveyed felt that their job or reputation would be at risk as the result of a data breach.

The report concludes that effective data management and protection will only be possible if this gap in communication is narrowed.

As well as greater collaboration between information security departments, involving the legal department is seen as critical to achieving organisational data protection goals.