News & Views
Insider data breaches major concern
Results of the second global survey by IT specialists, Egress (www.egress.com) reveals that a staggering 97% of IT leaders say insider breach risk is a significant concern.
Egress’ ‘Insider Breach 2020’ study (http://bit.ly/3bU6evp) looks at the causes, frequency and implications of internal security breach incidents and the perspectives of IT leaders and employees about data risk, responsibility and ownership.
The study reveals that 78% think employees have put data at risk accidentally in the past 12 months, and 75% believe employees have put data at risk intentionally. When asked about the implications of these breaches, over 40% say financial damage would be the area of greatest impact.
Asked what traditional security tools they have in place to mitigate insider breach risk, just half of IT leaders said they are using anti-virus software to combat phishing attacks, 48% are using email encryption and 47% provide secure collaboration tools. More than half (58%) say employee reporting is more likely than any breach detection system to alert them to an insider data breach.
“The results uncovered serious discrepancies between IT leaders’ perceptions of insider breach risk and causes, and how they are in managing them. It also exposed that employees are still confused about data ownership and responsibility,” explains Tony Pepper, CEO, Egress.
“While they acknowledge the sustained risk of insider data breaches, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the risk. Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable.”
“Incidents of people accidentally sharing data with incorrect recipients have existed for as long as they’ve had access to email,” continues Pepper. “As a fundamental communication tool, organizations and security teams have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter. However, we are in an unprecedented time of technological development, where tools built using contextual machine learning can combat common issues, such as misdirected emails, the wrong attachments being added to communications, auto-complete mistakes, and employees not using encryption tools correctly. Organizations need to tune into these advances to truly be able to make email safe.”
The survey also showed that employee misconceptions over data ownership have a negative impact on information security. The employee-facing research found 29% of respondents said they or a colleague had intentionally shared data against company policy in the past year. A worrying 46% said they or a colleague had broken company policy when they took data with them to a new job, while more than a quarter (26%) said they had taken a risk when sharing data because they weren’t provided with the right security tools.
“This reckless approach to data protection may be explained by employees’ views on data ownership and responsibility. Over 40% of the employees surveyed don’t believe that data belongs exclusively to the organization and only 37% recognize that everyone has responsibility for keeping data safe," says Pepper.
“Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe. This is a toxic combination for data protection efforts. When you add their propensity to take data with them when they change jobs and willingness to take risks when sharing data, the scale of the challenge faced by security professionals is alarming.”
Conducted by independent research organization, Opinion Matters in January 2020, more than 500 IT leaders and 5000 employees were surveyed across the UK, US and Benelux regions for the Egress report.