When it comes to the root cause of an organizational data breach, perhaps one of the most understated problems is Insider Threats. Famous data breaches including Facebook, Marriott and Equifax all resulted, in one way or another, as a result of employee error. This is not to point the finger toward intentionally malicious or criminal activity, but also ownership, carelessness and a lack of cyber security awareness. According to a recent study by data security company Egress, the latter two are far more likely to be the cause of the data breach than a criminal inside element.
In order to dissect the issue at hand, Egress decided to explore the issue through two sets of lenses; employer and employee. Unsurprisingly, it seems there is a significant disconnect between the two when it comes to both the understanding of the issue, as well as ownership and responsibility.
“The results of the survey emphasize a growing disconnect between IT leaders and staff on data security, which ultimately put everyone at risk. While IT leaders seem to expect employees to put data at risk, they’re not providing the tools and training required to stop the data breach from happening.”
Tony Pepper – CEO, Egress Software Technologies
Who was surveyed?
The survey spoke to 250 CIOs and IT leaders spread over the United Kingdom and the United States. Additionally, the survey spoke to over 2000 employee users across the two locations.
An Obvious Divide: IT Leaders Vs. Employees
Accidental Data Breaches
79% of IT leaders believe that employees have put company data at risk, accidentally, in the last 12 months. The most commonly cited error here was accidentally sending data to the wrong person (45%), via email, in most cases. This is quite understandable as most email platforms make use of an autofill function in the address field.
92% of employees say they haven’t accidently broken company data sharing policies in the last 12 months; 91% say they certainly haven’t done so intentionally.
60% of IT leaders believed an accidental breach would happen within the next calendar year.
From an employee’s point of view, of those who did admit to accidentally sharing data, nearly half (48%) note they were rushing, 30% blamed a high-pressure work environment and 29% blamed sheer exhaustion.
The single most commonly cited error was accidentally sending the data to the wrong person (45%), another 27% were tricked by malicious phishing campaigns. Of greater concern here is that more than one third (35%) of individuals were completely unaware that the information should not be shared. This leads us back to the IT leaders themselves, responsible for employee education and general awareness around the subject of data security.
Intentional Data Breaches
This is where the waters get muddy. While there is a definite admission from both employers and employees that this does happen, it is likely not to the same scale that most employers might believe. A prime example of where this is likely to happen is found within sales positions, particularly when changing jobs. To some degree, there is a strange sense of confusion over ownership of the data. Sales teams are known to take customer lists from one job to the next with the idea that the leads they’ve developed, to some extent, belongs to them and so this is one of those areas that employees see as a “grey area.”
61% of employers believe employee has maliciously leaked company data.
30% of employers believe the data leaks were done so with the intent to harm the company.
28% of employers believe this was done for financial gain.
8% of employees admitted to deliberately sharing data. 23% of these individuals admit to taking it with them to their next job.
55% of employees who intentionally shared data against company rules said their organization did not provide them with the tools required to share sensitive information securely.
Implications: Awareness and Ownership
When it comes to the perspectives of employers and employees, it is clear the disconnect only continues to grow. While it is currently unclear as to why this may be, despite all the information available; it is certainly a topic which needs to be faced head on and both parties must take responsibility for their contribution to an organization’s information security.
Employees are too quick to blame their mistakes on a lack of training. In some cases, there may be some validity, however, often after training has been completed, errors ensue regardless. Training will only ever be effective if it is reinforced by employers to staff and, likewise, if the employees are willing to change their habits for the betterment of their organization.
Employers are still too quick to blame staff, citing what they believe to be a workforce that is resistant to change. Most employers claim to make training available, however, access to said training and compliance has decreased and errors continue even after said training. At the end of the day, the onus comes down to the employer’s ability to effectively provide the required data, in an efficient, concise manner. Some employers may go so far as to expect employees to simply train themselves.
From the obvious variance in perspective, it is not hard to see how this disconnect can leave any organization vulnerable. Where most organizations tend to focus their cyber defense around external threat, a shift in focus towards internal threats may prove invaluable.
For help choosing a penetration testing company, or further clarification of any of the topics covered, please contact us for more information.