Microsoft’s Trustworthy Computing team recently released two reports that focused on security in both retail organizations and in the public sector.

These reports contain the key findings and recommendations based on anonymous data collected from 12,000 surveys conducted between November 2012 and February 2014.

Here are the key takeaways from each.

Security in Retail Organizations

In the last year, the security challenges that retailers face have become increasingly apparent. Regulations such as Payment Card Industry Data Security Standards (PCI DSS) identify the need to protect customer data, which mature retail organizations are well aware of. And yet worldwide security trends indicate that many retail organizations fall short in the area of safe, secure computing practices.

  • 31% do not use role-based access control
  • 32% are not effective at managing physical access
  • 35% still use paper-based inventory or asset management solutions
  • 51% do not have a plan for responding to security breaches
  • 72% do not have budgeted disaster recovery plans
  • 29% increase capacity only after there is a capacity shortage

Security in Public Sector

Public sector organizations today are learning that data and asset protection is becoming more complex because of worldwide regulations with which they must comply, such as the European Union Data Protection Directive (EUDPD), and the increasing demand for self-service solutions. Additional resources are needed, but there are consistent and constant pressures to reduce budgets. As a result, public sector organizations worldwide are considering additional cloud-based solutions to achieve cost savings while actually increasing services.

  • 33% do not have uniformly enforced security policies
  • 40% still use paper nondisclosure agreements (NDA) and use them inconsistently
  • 20% do not use role-based access control
  • 45% do not use standardized data classification
  • 24% have adequate policies and practices for secure data disposal
  • 36% do not have a plan for responding to security breaches
  • 34% do not have budgeted disaster recovery plans

Looking at these numbers it is not a surprise that so many organizations have suffered significant data breaches in the last few years.

Having and using a plan to take care of data security is kind of like having a backup plan for your own data. You do not want to find out you need a backup/data security plan when you actually need a backup/data security plan.

That is the hard way to learn but it seems many organizations and companies are not getting the message so maybe the results of this survey will help.

You can see the recommendations for each of the issues identified above in the whitepapers which are available from the Microsoft Download Center: