Mind the (Data Security) Gap
A Ponemon Institute report on closing data security gaps shows that insider negligence is the leading cause of data loss or theft.
The report, sponsored by Varonis, is called Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations. The study surveyed 3,027 employees in the US, the UK, Germany, and France, including 1,656 employees who worked in IT and IT security.
The study found that 76% of IT respondents (up from 67% in a 2014 study) said that their organization had experienced the loss or theft of company data in the last two years. Insider negligence was more than twice as likely as external attackers to compromise insider accounts. Malicious employees and malicious contractors were even less likely to compromise data.
The report concluded that the continuing increase in data loss and theft is due in large part to two factors:
(1) Employees and third parties have access to much more sensitive information than they need to do their jobs, increasing the damage when employees’ accounts are compromised, and
(2) Many organizations fail to monitor access and activity around email and file systems, which contain the most confidential and sensitive data.
Access to Information
In the poll, 62% of the non-IT employees said that they had too much access to confidential corporate data, which is an improvement from the 2014 number of 71%. In July 2016, the Federal Trade Commission held that LabMD’s failure to protect data was an unfair practice affecting commerce. In that case, LabMD gave management and sales employees administrative rights over their computers, allowing employees to change their security settings and download software applications and files from the Internet. In addition, even LabMD’s sales people and part-time employees could access patients’ medical and personal information. In its opinion, the Federal Trade Commission (FTC) pointed out that the National Research Council has been emphasizing since 1997 that procedures should be in place to ensure that users have access to only the information for which they have a legitimate need. But only 29% of the Ponemon poll’s IT respondents said that their organizations fully enforced a strict least privilege model to ensure that employees had access to data only on a need-to-know basis.
In addition, the poll found that 43% of employees saved documents or files they’d worked on forever. Another 25% said they keep documents or files for a year or longer. Failure to delete files can increase a company’s vulnerability to a data breach. The FTC criticized LabMD for never deleting the data it collected.
Monitoring File Activity
Only 35% of companies had searchable records of file activity. The survey notes that failure to audit file activity is a significant vulnerability, especially with regard to ransomware. “Without an audit,” the survey says, “there is no way to determine which files have been encrypted by ransomware.”
In the LabMD case, the FTC criticized the lab’s failure to monitor files, which allowed a filesharing program to run undetected for years on an employee’s computer. “File integrity monitoring or a more complete walk-around inspection could have detected the program, but these safeguards were not in place,” said the FTC.
Employees who don’t have a basic knowledge of data security and privacy issues might compromise their organizations’ data. You can learn about LawRoom’s online data security training or read our white paper on what makes effective data security training.