Cloud security company Bitglass released a survey today on the security policies of the companies populating the Fortune 500 list, finding that most had little public information about their efforts to protect customers.
Bitglass sought to figure out two main things about each Fortune 500 company: who is in charge of cybersecurity and does their website make mention of data security, privacy or protection.
In their study, “The Cloudfathers: An Analysis of Cybersecurity in the Fortune 500,” researchers with Bitglass found an alarming lack of information about security policies at most companies.
Their survey says nearly 40% of the companies on the 2019 Fortune 500 do not have a chief information security officer and of those, only 16% have another executive that is listed as responsible for cybersecurity strategy.
Of the 62% of companies that do have a chief information security officer, just 4% have them listed on their company leadership pages. Almost 80% of the companies make no indication on their websites of who is responsible for their security strategy.
More than half of all companies on the Fortune 500 have no have language on their websites about how they are protecting the data of customers and partners beyond legally-required privacy notices.
“Corporate social responsibility initiatives have made it onto the websites of the Fortune 500, but research has shown that the same level of importance is not being given to publicly demonstrating commitment to cybersecurity initiatives,” said Anurag Kahol, chief technology officer at Bitglass.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
Bitglass scoured the company websites looking for keywords, phrases and personnel focused on information security and customer privacy.
Their findings illustrate how little companies have done to at least show that they take cybersecurity seriously. The Bitglass study says most companies have made little effort to explain their data policies or cybersecurity measures.
Kahol said this was worrying considering the massive data breaches that continue to occur each month.
Three days ago, popular food delivery app DoorDash admitted that in May the information of 4.9 million users was exposed to cybercriminals. The hackers gained access to users’ names, email addresses, order histories, phone numbers, delivery addresses and hashed and salted passwords.
They also managed to get the last four digits of some user credit cards and the driver’s license numbers of about 100,000 delivery workers.
“Lax security and its resulting breaches have long-term repercussions for organizations as well as their customers, shareholders, partners, and other stakeholders,” Kahol said. “Members of the Fortune 500 should be focused just as much on protecting personal data and consumer privacy as they are on other areas of social responsibility.”
The study found that companies in the transportation industry, aerospace industry and insurance industry were most likely to have an executive listed on their website as being in charge of cybersecurity strategy.
Companies involved in aerospace, finance and technology were also likely to have detailed sections on their website dedicated to information about how they protect user data. But some industries were almost completely bereft of any information.
In their survey, Bitglass researchers found that none of the companies in the hospitality industry had an executive that was publicly designated as in charge of cybersecurity. The manufacturing industry was just 8%, while telecommunications was 9%.
In terms of Fortune 500 companies that had the least amount of information on their website about their data policies, it was a three-way tie between the construction, oil and gas, and the hospitality industries. Only 25% of the companies in these fields had any public policies about data protection.
“As the data shows, lax security (and its resulting breaches) can have significant, long-term repercussions for organizations; from tumbling share prices and a lack of consumer confidence to executive turnover and noncompliance with regulations,” the Bitglass survey found.
“If an organization wants to maintain the trust of its various stakeholders and succeed as a business, it must demonstrate a legitimate commitment to cybersecurity. In other words, protecting personal data and consumer privacy should be as much of a focus as any other area of corporate social responsibility,” according to the survey.