The Ponemon Institute LLC recently conducted a study called “The Second Annual Study on the Cybersecurity Risk to Knowledge Assets,” which surveyed 634 IT security practitioners. The study shows that, while companies are increasingly realizing the need to protect their confidential and sensitive information, the majority of companies still have not implemented effective protection measures.

Troublingly, 82% of respondents acknowledged that it was “very likely” that high value company assets had been breached (an increase from 74% in Ponemon’s 2017 study), with 65% believing that the company’s assets are now in the hands of a competitor. Additionally, only 35% of respondents ranked their organizations as “highly effective” (7+ on a 10 point scale) in protecting assets.

Respondents who did not believe their organizations are “highly effective” in protecting assets identified the following as the top three causes for the company’s shortcomings: lack of in-house expertise (73%); lack of leadership (55%); and lack of collaboration with other functions (55%).

By comparison, respondents at the “highly effective” organizations implemented the following practices:

  • restricting employee access to information on a need-to-know basis;
  • conducting audits to ensure adherence to practices and policies;
  • conducting regular training that is customized based on employees’ roles and access to and need to handle sensitive information;
  • using technology to protect assets, such as Identity & Access Management, Access Monitoring & Tracking, or Data Loss Prevention tools; and
  • engaging senior management and the board of directors in the protection of assets.

The use of these and other practices resulted in these “highly effective” companies reducing the average time to identify a data breach by a malicious outsider by 90 days and by a careless insider by 58 days. They also reduced the average time required to contain a breach involving a knowledge asset by more than 30 days.

TIP: Recognizing that data loss, theft, and breach are problems is just the first step. Implementing effective measures, tailored to the specific needs of the company and involving senior management, is necessary to minimize the chance of breach, promptly contain any breach that occurs, and minimize the impact of the breach.