Firms doing too little to tackle employee data breaches

data breachesInsider data breaches are a major concern for 97 percent of IT leaders, according to new research. About three quarters believe that employees have put data at risk in the past 12 months accidentally (78 percent) or intentionally (75 percent). When asked about the implications of these breaches, more than two in five said financial damage would be the area of greatest impact.

More than 500 IT leaders and 5000 employees were polled across the UK, US and Benelux regions for the survey from Egress (registration required). Of those employees who had accidentally leaked data, four in ten had done so because of a phishing email, while three in ten had sent information to the wrong person, for example by email.

Egress CEO Tony Pepper said: “Incidents of people accidentally sharing data with incorrect recipients have existed for as long as they’ve had access to email. As a fundamental communication tool, organisations and security teams have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter.” Other common issues include “misdirected emails, the wrong attachments being added to communications, auto-complete mistakes and employees not using encryption tools correctly”.

 

Businesses resigned to data breaches

Asked what traditional security tools they have in place to mitigate insider breach risk, just half of IT leaders said they are using anti-virus software to combat phishing attacks, 48 percent are using email encryption and 47 percent provide secure collaboration tools. More than half (58 percent) say employee reporting is more likely than any breach detection system to alert them to a problem.

Pepper claimed the findings show IT leaders are resigned to the inevitability of insider breaches and don’t have adequate risk management in place. “While they acknowledge the sustained risk of insider data breaches, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the risk. Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable.

Given the severe penalties for data breaches, “relying on employees to report incidents is not an acceptable data protection strategy”, he added.

 

Reckless employees threaten information security

[perfectpullquote align=”right” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]More than three-quarters of directors admitted intentionally sharing data against company policy in the past year, compared with just 10 percent of clerical staff.[/perfectpullquote]

Nearly three in ten employees surveyed said they or a colleague had intentionally shared data against company policy in the past year. Of these, 46 percent said they or a colleague had broken company policy by taking data with them to a new job, while more than a quarter said they had taken a risk when sharing data because they weren’t provided with the right security tools.

Egress suggested this reckless approach may be explained by employees’ views on data ownership and responsibility. Four in ten of the employees surveyed don’t believe that data belongs exclusively to the organisation and only 37 percent recognise that everyone has responsibility for keeping data safe.

Pepper commented: “Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe. This is a toxic combination for data protection efforts. When you add their propensity to take data with them when they change jobs and willingness to take risks when sharing data, the scale of the challenge faced by security professionals is alarming.”

 

Directors disrespect data

The more senior the employee, the more cavalier their attitude towards data breaches, the survey suggests. More than three-quarters of directors admitted intentionally sharing data against company policy in the past year, compared with just 10 percent of clerical staff.

The findings suggest directors are also the most likely to take data with them to a new job. More than two-thirds of directors who had intentionally broken policy had done so when they changed jobs, compared with the average for all employees of 46 percent.

Image by William Iven