Mind the (Data Security) Gap 14:48, August 25, 2016

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Mind the (Data Security) Gap

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

A Ponemon Institute report on closing data security gaps shows that insider negligence is the leading cause of data loss or theft.

The report, sponsored by Varonis, is called Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations. The study surveyed 3,027 employees in the US, the UK, Germany, and France, including 1,656 employees who worked in IT and IT security.

The study found that 76% of IT respondents (up from 67% in a 2014 study) said that their organization had experienced the loss or theft of company data in the last two years. Insider negligence was more than twice as likely as external attackers to compromise insider accounts. Malicious employees and malicious contractors were even less likely to compromise data.

The report concluded that the continuing increase in data loss and theft is due in large part to two factors:

(1) Employees and third parties have access to much more sensitive information than they need to do their jobs, increasing the damage when employees’ accounts are compromised, and

(2) Many organizations fail to monitor access and activity around email and file systems, which contain the most confidential and sensitive data.

Access to Information

In the poll, 62% of the non-IT employees said that they had too much access to confidential corporate data, which is an improvement from the 2014 number of 71%. In July 2016, the Federal Trade Commission held that LabMD’s failure to protect data was an unfair practice affecting commerce. In that case, LabMD gave management and sales employees administrative rights over their computers, allowing employees to change their security settings and download software applications and files from the Internet. In addition, even LabMD’s sales people and part-time employees could access patients’ medical and personal information. In its opinion, the Federal Trade Commission (FTC) pointed out that the National Research Council has been emphasizing since 1997 that procedures should be in place to ensure that users have access to only the information for which they have a legitimate need. But only 29% of the Ponemon poll’s IT respondents said that their organizations fully enforced a strict least privilege model to ensure that employees had access to data only on a need-to-know basis. 

In addition, the poll found that 43% of employees saved documents or files they’d worked on forever. Another 25% said they keep documents or files for a year or longer. Failure to delete files can increase a company’s vulnerability to a data breach. The FTC criticized LabMD for never deleting the data it collected.

Monitoring File Activity

Only 35% of companies had searchable records of file activity. The survey notes that failure to audit file activity is a significant vulnerability, especially with regard to ransomware. “Without an audit,” the survey says, “there is no way to determine which files have been encrypted by ransomware.” 

In the LabMD case, the FTC criticized the lab’s failure to monitor files, which allowed a filesharing program to run undetected for years on an employee’s computer. “File integrity monitoring or a more complete walk-around inspection could have detected the program, but these safeguards were not in place,” said the FTC.

Employees who don’t have a basic knowledge of data security and privacy issues might compromise their organizations’ data. You can learn about LawRoom’s online data security training or read our white paper on what makes effective data security training.

You might also be interested in...

  • Healthcare Compliance Takeaways for All IndustriesSeptember 11, 2016 Healthcare Compliance Takeaways for All Industries Like many industries, the medical field is no stranger to compliance. While its compliance issues may seem inapplicable to industries like tech and banking, we have covered recent developments that provide best practices for all organizations in three main areas: data security, sexual […] Posted in online compliance training, ethical conduct
  • Create a Compliance CultureJune 3, 2016 Create a Compliance Culture After months of scandal, HR tech company Zenefits has learned the importance of compliance and implemented appropriate safeguards. Even companies like AirBnb, Google, and Adobe, who have been lauded for their strong company cultures, can learn something, too. Because along with that […] Posted in online compliance training
Christine Day
Christine Day is a legal editor at EverFi. She writes about employment law issues and tracks case law and legislative and regulatory updates. Before joining EverFi she worked in legal publishing, researching and writing about tax law, business law, and employment law. She earned her JD from the University of San Diego Law School and her BA from the University of Southern California.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog