Staff and IT leadership at odds over data security

arguing-speech-bubbles

It’s no secret that employees and contractors are one of the primary causes of enterprise security events. It’s not that most insiders who cause data breaches are malicious. They’re not. They may carelessly send a cleartext email that contains sensitive information, reuse the same password across applications, or lose an unencrypted notebook or portable storage device. And they are notorious for clicking on phishing links and introducing malware to the organization.

These acts are careless, and they increase enterprise risk, but they aren’t malevolent. But this isn’t to dismiss the potential damage careless insiders can cause, as the damage from such breaches can be substantial. A survey from data security vendor Egress shed some light on why so many enterprises suffer breaches at the hands of remiss employees and others: a considerable lack of training.

The research was carried out by independent research organization Opinion Matters and it incorporated the views of more than 500 U.S. and U.K.-based IT leaders, and more than 4,000 U.S. and U.K.-based employees. The survey also explored how employees and executives differ in their views of what constitutes a data breach and what is acceptable behavior when sharing data. It highlighted a number of rather “interesting” views employees have toward enterprise data.

When asked what IT leaders believed to be the leading causes of data breaches, 60 percent cited employee carelessness. That was followed, at 44 percent, by a broad lack of security awareness, and 36 percent said a lack of training on the organization’s security tools was to blame.

Now for the employee perspective. Ninety-two percent of employees said they had accidentally broken data sharing policy over the last 12 months, and essentially the same (91 percent) said they hadn’t done so intentionally. For those employees who admitted (or were at least aware) that they accidentally shared company data, 48 percent said it was while they were rushing, and 30 percent placed the blame on a high-pressure working environment. Twenty-nine percent said they accidentally shared data because they were tired.

What type of data accidents do employees tend to make? By far the most common mistake, at 45 percent, was sending sensitive data to the wrong person. That was followed by 28 percent who fell for phishing attacks.

But these were not the most fascinating findings from the survey. It turns out more than a third of employees said they were not aware information should not be shared. Of those who were aware it was wrong and intentionally shared company data despite policy, they said that the organization failed to provide them with the tools necessary to share sensitive information securely.

Finally, 29 percent of employees said they thought they had exclusive ownership of the data they’ve worked on.

Now, much of the data from this survey was to be expected: lots of employees intentionally sidestep rules around data sharing because they believe it’s more productive to do so, and they downplay the risks to themselves. And it’s also no secret that phishing attacks are effective. But it is stunning to see that one-third of employees were unaware data shouldn’t be readily shared and that nearly a third of those surveyed believed they owned the organization’s data.

This points to woefully inadequate training. Not just security awareness training when it comes to avoiding breaches, but training around the confidentiality of company information and why security policies exist in the first place.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: