Unauthorized Sharing undermines Data Security
Data breaches don’t just happen when some malicious outsider orchestrates a massive hack or absconds with company secrets. They also happen when ordinary workers don’t see the harm of improperly sharing confidential information with one another or of innocent but unsafe practices. Unauthorized data sharing can undermine your best efforts at data security — even if employees are otherwise trained in cyber-safety protocols. Recent survey results hammer this point home once again.
Dell Data Security commissioned Dimensional Research to conduct a survey into the data sharing and safety practices of 2,608 professionals who work with confidential, sensitive, or regulated information (CSRI). Separately, Crowd Research Partners partnered with the Information Security Community on LinkedIn to conduct a similar survey, this one focused on perceived insider threats. More than 500 security professionals responded to the resultant Insider Threat poll.
From a data security standpoint, the results of both surveys are disheartening but not surprising.
The Dell survey found that 72% of respondents were willing to share CSRI under certain circumstances, such as sharing at a manager’s direction (43%), with an authorized person (37%), in circumstances the employee determines involve high benefit and very low risk (23%), in order to do their job more effectively (22%), or in order to help the recipient do their job more effectively (13%). 36% of respondents have opened emails from unknown senders, 31% have given third parties access to internal information systems (such as the company intranet), and a shocking 35% of ex-employees took corporate information out the door with them. 24% of respondents shared CSRI to get the job done, 18% didn’t know it was unsafe to do so, and 3% acted maliciously.
Many respondents felt disempowered to handle data security properly, and felt that security hampered productivity. Only 36% were very confident in their ability to protect information, but 65% felt responsible for doing so. 76% of respondents said their company puts data security over productivity, 21% felt slowed down by security protocol, 21% have difficulty keeping up with changing cyber-safety norms, and 22% worried about mistakenly damaging the company through unsafe data protection practices. Respondent’s cyber-safety practices were generally poor, despite 63% of respondents saying that they had been required to complete data security training.
Is there a connection between the majority of employees who say their companies prioritize data security over productivity and the high number of employees who share information for questionable reasons, or who do not feel confident in their understanding of data security? There seems to be a disconnect between leadership and workers. Perhaps this comes down to check-the-boxes style training which does not integrate into workplace realities. Such training is generally ineffective.
In interpreting the survey results, Dell addresses this dilemma:
There is no one-size-fits-all solution to this issue, because every company has different security needs. However, it’s clear that corporations and employees must meet somewhere in the middle. Though many employees already complete cybersecurity training, management may also need “training” from employees to fully understand their daily tasks and scenarios in which they might feel justified in sharing confidential data.
The computer tech giant adds that unclear or narrow policies may be to blame for this gap, and suggests policies and training that empower employees by meeting them where they are and building from there: “Organizations must stop simply telling employees not to share confidential information and instead unlock the ability for them to share confidential data when it makes sense, but in a secure and simple fashion.”
Specifically, the suggestions are “for organizations to strive for higher levels of awareness, enablement and protection simultaneously”:
- “Create simple, clear policies and ensure they outline steps for handling common scenarios that employees experience.” This begins with identifying priorities, including endpoint devices and critical data, and ends with the goal of getting employees to understand the how and why of data security no matter where, with what device, or with whom they work.
- “Embrace and enable productivity.” Data security that overly obstructs productivity will motivate employees to find unsafe work-arounds. Organizations should strive to implement secure systems that minimize interference with business initiatives and workflow.
- “Use security solutions that protect data wherever they go.” Data travels, from PCs and mobile devices to cloud services, personal email accounts, and external devices. Organizations need a “robust, multi-layer security infrastructure” that enables them to monitor and control data access and use, and to limit these to authorized people under proper circumstances.
The Insider Threat survey found that 74% of respondents feel vulnerable to insider attacks — a 7% increase over last year’s numbers. But only 42% of respondents say their organizations have implemented appropriate controls to thwart insider attacks. 56% said that insider attacks have increased in the last 12 months. Respondents also perceived that the biggest threats, among insiders with access credentials, come from managers and other privileged-access users (60%), contractors or consultants (57%), and regular employees (51%). As to the types of insider threats respondents worried about, 71% were most concerned about inadvertent (i.e., careless) data breaches or leaks, 68% cited negligent breaches (willfully but not maliciously ignoring policy), and 61% cited malicious data breaches in which the insider wilfully causes harm.
62% of respondents who said that insider threats are rising believed that a lack of employee training and awareness was the main reason. Similarly, 60% said the biggest barrier to improved threat management is lack of training and expertise. However, only a feather more than half (51%) of organizations say they combat insider threats with user training. Background checks and monitoring user activity each account for less than 40% of responses.
The Dell survey, by contrast, found that 63% of workers are required to train. The 12 percentage point difference between the two surveys may be explained by the way the questions were asked and the types of respondents. The Dell survey polled a broad range of professionals with access to sensitive data about their own training, whereas the Insider Threat survey targeted cybersecurity professionals regarding training as a tool for combating cyberthreats.
Another significant difference between the two polls: 3% of respondents to the Dell survey said they shared data for malicious reasons, whereas 61% of respondents to the Insider Threat survey said that they were most concerned about malicious data breaches. In this case, the difference in response is probably due to the kinds of questions asked: Dell asked about the motivations for respondent’s own behavior, whereas the Insider Threat poll asked about respondent’s perceptions of security threats in general.
Not Good, Not Surprising
Unfortunately, the Dell and Insider Threat surveys are only the latest of several to highlight the risk insiders pose to data security. Last year, a Ponemon Institute study revealed that insider negligence beat out external attacks and malicious worker conduct as the leading cause of data loss or theft. The Society of Corporate Compliance and Ethics and the Health Care Compliance Association also released a study last year, in follow-up to a similar 2012 study, which showed that simple human error (such as losing a device or paper files) caused most data breaches.
These surveys show that organizations and employees perceive the problem of insider access to sensitive information. That perception has a basis in reality. Data breaches and snafus (insider-induced or otherwise) can lead to reputational harm, data security negligence lawsuits, damage to the bottom line, and untold unforeseen consequences.
However, while attempted data breaches by outsiders are not in your control, educating your employees about data security is. As my colleague Douglas Kelly has written:
Employees are your biggest cybersecurity risk — and also, potentially, your biggest asset. Cybersecurity is everybody’s job and mistakes by employees, contractors, and vendors — using weak passwords, opening attachments from an unfamiliar source, misconfigured settings – lead to the overwhelming majority of successful attacks.
Effective data security training for employees at all levels, integrated into your business, compliance, and risk-management needs, is a key component of cybersecurity. LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.