As technology nudges businesses into the cloud, more and more companies are becoming comfortable storing data externally, according to a survey from Gartner, an IT research and advisory company. Companies are also more likely to have in place formal processes for assessing risks related to data stored externally.
The survey of 425 IT managers at midsize and large companies in the U.S., Canada, the U.K. and Germany found that larger companies are more likely to host critical data externally. Only 3% of companies with market capitalizations of $1 billion or more have an explicit policy preventing the sharing or hosting of data and processes externally, compared with 8% of midmarket respondents. Less than 1% of companies lack a policy or process to deal with externally hosted data, down from 5% in 2010.
However, many organizations have yet to implement risk assessments for business continuity. Though 72% of respondents have risk assessment processes for information security, only half of companies report having a formal process for evaluating the risk of mission-critical data loss.
Of those respondents with at least one formal process for assessing external party risk, 38% do not allow business partners access to sensitive data or processes, and 29% do not allow sensitive data to be outsourced. Mission-critical data and IT processes cannot be shared with an outsourced data center at 36% of companies.
Risk management around the use of software as a service (SaaS) is evolving. Over the course of Gartner’s past three annual surveys, the portion of companies with a policy against using SaaS for sensitive data has decreased by 10%. More companies are evaluating SaaS risk using questionnaires based on published standards, and two-thirds of companies use some sort of questionnaire, either based on published standards or unique to the organization.
Companies are more likely to use their own questionnaire, rather than one based on published standards, when assessing the risks involved in infrastructure as service (IaaS) or platform as service (PaaS). Only 26% of companies use a published standard, versus 31% that use a proprietary questionnaire. In contrast, in 2009, 32% used a published standard and 22% a proprietary questionnaire.
While questionnaires have remained a steadfast part of risk assessment practices for sharing data, on-site evaluation of partner controls by a staff member has dropped from 39% to 34%, and evaluating the information they choose to provide has dropped from 42% to 34%. The number of companies that do not allow any method of sharing sensitive data has gone down from 41% to 29%.