The State of Data Privacy in 2015Sponsored by Druva
A Survey of IT Professionals
As technology increasingly enables the collection and storage of every type of business and customer data, securing data has become a top concern for business, and so has the privacy of data. There is a growing awareness of the need to manage not only security but also data privacy to deal with changing infrastructure, regulations, and tremendous data growth, while still delivering cost effective operations. This study examines the state of data privacy protection among IT leaders, how it’s the same or different than approaches to security, and the readiness of IT in the face of cloud adoption.
The following report, sponsored by Druva, is based on a survey of 214 IT professionals with responsibility for corporate data. The goal of the survey was to understand attitudes, approaches, and challenges with ensuring the privacy of corporate data.
- Data Privacy – Ensuring data isn’t misused, misappropriated, or publicly exposed by those who have authorized access to it
- Data Security – Ensuring data is protected from unauthorized access or interception
Table of Contents
- Key Findings
- Detailed Findings
- Survey Methodology and Participant Demographics
- About Dimensional Research
- About Druva
- Data privacy is important, but don’t depend on employees as your solution to address it
- –99% have sensitive data
- –84% report data privacy is increasing in importance in 2015
- –82% have employees who don’t follow data privacy policies
- International requirements are making data privacy even more challenging to manage
- –93% face challenges ensuring data privacy
- –91% have data privacy controls, but those controls are incomplete
- –77% find it challenging to keep up with regional requirements for data privacy
- Privacy isn’t viewed as a separate priority, and most resources are on external threats
- –Only 20% separate data privacy and data security
- –72% put more effort into coping with threats from external sources than internal sources
- Cloud data is growing, but privacy concerns persist
- –88% expect cloud data volume to increase in 2015
- –95% have sensitive data in the cloud
- –87% are concerned about the privacy of data in the cloud
Businesses depend on sensitive data
Sensitive business data is a fact of life. Almost all businesses, 99%, have sensitive data that they must manage.
Participants were asked what types of business data is the most sensitive for their organization, and were allowed to pick up to three answers. The most common types of data identified as most sensitive included regulated customer data including credit cards and health records (52%), password or other authentication credentials (46%), and personal employee information such as social security numbers (41%).
Businesses must protect data privacy to meet regulations
Certain types of businesses are known to have strict data privacy regulations; for example HIPAA protects the privacy of patient data in healthcare environments, and PCI for retail and other companies that deal with credit card data. However, these regulations for data privacy are not the exception; they are the norm. The majority of companies, 81%, do deal with some form of data privacy requirement to meet compliance and governance regulations.
Data privacy is increasing in importance in 2015
Focus on data privacy is growing. When asked how efforts to protect the privacy of sensitive data were changing for 2015, the majority of participants (84%) indicated that these efforts were increasing. A further 15% said that efforts would stay the same, with only a very small number (1%) indicating that their efforts at protecting data privacy would actually decrease in the coming year.
Employees do not follow data privacy policies
Employee education and awareness is key to any data privacy initiative, but it is clear that depending on employees is not an effective approach. Only a small number of companies (18%) report that all employees follow data privacy policies. The majority of companies (82%) have employees that don’t follow established policies for data privacy.
Within the same company, certain departments are more likely to follow data privacy policies than others. Participants were asked which types of employees were most likely to ignore data privacy policies, and allowed to pick up to three departments. Sales was the worst offender (48%), ahead of marketing (35%) and owners or partners (31%). However, even employees in the legal department made the list (6%), although this is stereotypically the group that knows the regulations best and is most interested in following rules.
Employees also follow data privacy policies at different rates. Individual contributors and front-line professionals are the interested types of employee most likely to ignore data policies (39%), but this was followed very closely by executives (33%).
Data privacy creates challenges for IT
IT professionals agree that ensuring data privacy is challenging. The vast majority (93%) of IT organizations face challenges ranging from insufficient employee awareness (56%) and lack of budget to purchase technology solutions (45%) to lack of process to audit behavior (36%) and lack of executive visibility and priority (34%).
Several participants did take the time to report that they faced other challenges including multinational regulations, keeping up with changing regulations, and the impact of BYOD.
Companies try to cope, but data privacy controls are incomplete
The vast majority of companies, 91%, do have data privacy controls in place.
However, when you look into the details of those controls, you find that controls are not extensive. Many companies do educate employees by asking them to sign a data privacy agreement (61%), offering regular training (54%), or offering ad hoc education programs (38%).
As we saw earlier in this report, depending on all employees to follow these policies is not an effective approach to data privacy. Technology solutions can be more consistent, if implemented properly. Two-thirds of companies (63%) do use some kind of technology approach. However, the technology in use today to ensure data privacy is incomplete at most companies. The most common technologies are basic access control (58%) and logging data access (41%). But only 21% encrypt data on mobile devices and only 36% encrypt data on laptops.
International operations make data privacy even more challenging
For companies who have international operations, data privacy is even more complicated. The need to understand a wide variety of regional requirements can make data privacy challenges exponentially greater. Participants in our survey agreed, with 77% of participants who operate in more than one country reporting that they have difficulties. This includes 67% who say they have challenges, and 10% who have given up and don’t even try to keep up with data privacy differences in countries outside of their main region.
The additional challenges faced by global companies range from difficulties tracking emerging rules (41%) to ambiguity of requirements (29%). Technology vendors are blamed for some of the problems as they are perceived as not offering solutions or guidance to address regulations (29%). It is interesting to note that IT is confident that if they have the information they can deal with it. Only a few (17%) described the problem as a lack of ability in the IT team to understand the requirements.
Most companies lump data privacy into security efforts
There can be overlap in data security and data privacy. This survey wanted to investigate the relationship. Specific definitions were provided to participants to set a common baseline for answering questions. Data privacy was defined as ensuring that sensitive data isn’t misused, misappropriated, or publicly exposed by those who have authorized access; and data security was defined as ensuring data is protected from unauthorized access or interception.
Most companies do combine their security and privacy initiatives to some degree. For 16%, these two areas were the same effort, but for more than half (51%) data privacy is part of the security initiative, although there are a few distinct aspects. Only 20% of companies focus on data privacy to the point where it is a completely separate initiative from data security.
Most effort is spent protecting from external threats
This focus on data security over data privacy is seen in the effort put into both of these areas. When asked to indicate how efforts are divided between protecting against internal threats such as careless employees that impact data privacy, only 28% indicated this was the larger focus area. Most companies, 72%, indicated that they put most of their effort into protecting from external threats like hackers that impact data security.
We see the same focus on security when it comes to audits. While almost half do conduct regular privacy audits to ensure compliance with data privacy standards (47%), many more conduct regular security audits (68%).
Cloud data will increase in 2015
The adoption of cloud technologies, including SaaS applications and public infrastructure clouds, has raised many questions around data privacy. The companies who have cloud data were asked about their attitudes and experiences with data privacy in the cloud.
Unsurprisingly, the majority (88%) expect their cloud data volumes to grow in 2015 with only 5% predicting a decrease in cloud data volumes. For most companies (95%) the data in the cloud includes sensitive data.
IT concerned about the privacy of sensitive cloud data
IT is not confident about the privacy of their sensitive cloud data. The majority (87%) are concerned about the privacy of cloud data, including 32% who describe themselves as “very concerned”.
Although the reputation of SaaS and public infrastructure cloud has improved dramatically in the past years, most IT professionals (65%) still believe that their on-premises environments have better privacy controls than cloud.
Survey Methodology and Participant Demographics
In March 2015, individuals with responsibility for corporate data were invited to participate in an online survey on the topic of data privacy. Participants were asked a series of questions about importance of data privacy, data privacy controls and challenges, and privacy of cloud data.
A total of 214 individuals completed the survey. All had professional responsibility for corporate data including security, compliance, privacy, or governance. Participants represented a wide range of geographies, company sizes, role, and vertical industries.
About Dimensional Research
Dimensional Research® provides practical market research to help technology companies make their customers more successful. Our researchers are experts in the people, processes, and technology of corporate IT and understand how corporate IT organizations operate. We partner with our clients to deliver actionable information that reduces risks, increases customer satisfaction, and grows the business. For more information visit www.dimensionalresearch.com.
Druva is the leader in cloud data protection and information management, leveraging the public cloud to offer a single pane of glass to protect, preserve and discover information – dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it.
Druva’s award-winning solutions intelligently collect data, and unify backup, disaster recovery, archival and governance capabilities onto a single, optimized data set. As the industry’s fastest growing data protection provider, Druva is trusted by over 4,000 global organizations and protects over 25 PB of data. Learn more at www.druva.com and join the conversation at twitter.com/druvainc.
Visit Druva.com/resources/ for additional resources for learning more about endpoint backup.