If the marketing department commissions and signs-off on a mobile app, then is it their responsibility for security, or should it lie with the traditional home of security, IT? Sounds like your business? If it does then you’re not alone according to a report, ‘The Data Security and Risk Management Review’, and what’s worse is that while you’re squabbling over responsibility a hacker is turning your problem into an opportunity.
The report sponsored by managed service provider Advanced 365 found many UK businesses are confused about who should manage data security procedures leaving them at risk from cyber criminals exploiting businesses’ vulnerabilities around storing data in multiple locations as more devices become connected to the internet.
In the report, almost half of those surveyed (49%) stated the definitive authority for data security should reside outside of CIOs and the IT department. While three quarters (75%) said data owners should assume responsibility for data which belongs to a business and 71% argued that security is a wider issue than just data and more than half (56%) believed it should fall under the remit of other departments, such as compliance.
In contrast, 41% felt that IT should keep hold of the reins due to having ‘experience of dealing with security issues’ and just 10% were unsure whether security should sit within or outside IT.
The worry over security is also set to move higher up the running order at board meetings as the imminent changes to EU General Data Protection Regulation (GDPR) legislation and the significant fines in the event of a breach start to be disseminated more widely. Under new EU laws, any organisation which is tasked with managing and securing third-party access to data has a legal obligation to ensure it is secure. Those who fail to do so could face fines of up to 5% of their turnover.
Commenting Neil Cross, Managing Director of Advanced 365, said, “To reduce the risk of a potentially damaging breach, businesses must define who is responsible for each specific area of security. This includes ensuring robust governance frameworks are in place for managing and safeguarding third-party access to their data to avoid significant fines under imminent GDPR compliance requirements.
“The new legislation will also have major implications for the providers of hosted and cloud services. Businesses must think carefully before choosing a trusted and experienced partner and pay particular attention as to the location of where their data will be stored.