Risky business: How company insiders put high value information at risk

Larry Ponemon

Larry Ponemon

Ponemon Institute is pleased to present the results of Risky Business: How Company Insiders Put High Value Information at Risk, sponsored by Fasoo. The purpose of this study is to understand what activities put business-critical information at risk in the workplace.

Based on the findings of this research, employees and other insiders often lack the information, conscientiousness and guidance needed to make intelligent decisions about the information they have access to and share. In fact, companies are more confident they can stop external attackers from accessing confidential information than their own employees and contractors.

We surveyed 637 IT and IT security practitioners who are familiar with their organization’s approach to securing confidential information contained in documents and files. All organizations represented in this research use document and file-level security tools. In the context of this study, high value information could be trade secrets, new product designs, merger and acquisition activity, confidential business and financial information, and employee information. The loss or theft of such information would be catastrophic for a company and affect its sustainability.

Safeguarding high value information in organizations is a two-way street. Employees need to be responsible and follow data protection policies and safeguards in place. In turn, companies need to have the tools, expertise and governance practices to protect sensitive and confidential information.

According to the study, the majority of organizations represented in this research (56 percent of respondents) say they do not educate employees on the protection of documents and files containing confidential information. In addition, most companies do not conduct an audit to determine if the use and sharing of confidential documents and files are in compliance with regulations and policies. Those companies that did conduct an audit discovered deficiencies in their document or file security practices.

Very few organizations are prepared to stop the leakage of high value information. Only 27 percent of respondents say they have the ability to restrict the sharing of confidential documents and files among employees and only 36 percent believe they can restrict the sharing of files with third parties. Similarly, 28 percent of respondents say their organizations have the ability to manage and control employee access to confidential documents and files.

The following are key takeaways from this report according to these topics:

 High value information is at risk
 The challenge of plugging the leaks of high value information
 Reverse the insider risk

High value information is at risk

Company insiders cause data breaches. The primary cause of data breaches experienced by companies in this study was the careless employee (56 percent of respondents) followed by lost or stolen devices (37 percent of respondents) or system glitches (28 percent of respondents). In contrast, only 22 percent of respondents say external attackers or malicious/criminal insiders (17 percent of respondents) caused the breach.

Companies lack the technologies to detect company insider risk. Sixty-eight percent of respondents say they do not know where their confidential information is located and 61 percent of respondents say their organizations do not have visibility into what confidential documents and files are used and/or shared among employees.

Technologies focus on the perimeter and not on preventing access to unencrypted files. The primary enabling security technologies used in the document and file collaboration environment are identity and access management tools or two-factor authentication. Far fewer organizations are using technologies to manage encryption keys so only the business can access unencrypted files. Enterprise file sharing solutions and technologies that enable organizations to obtain data location when using cloud services are not used frequently .

The sales department and human resources are most likely to put high value information at risk. The sales function and human resources pose the greatest risk to both structured and unstructured information assets . C-level executives also pose great risk to unstructured information assets. The research and development function is the most careful in protecting both structured and unstructured data.

Employees use document and file sharing applications vulnerable to data leakage. Fifty-eight percent of respondents say employees use free versions of consumer file sync and share applications. Only 36 percent of respondents say employees use enterprise-grade file sharing on private cloud.

Education and policies are not in place to provide guidance on appropriate access and sharing practices. Fifty-six percent of respondents say their organizations do not educate employees on the protection of documents and files containing confidential information and 50 percent of respondents say they do not have a policy for the acceptable use of document and cloud or Web-based file sharing applications by employees.

The sharing of files and documents is unsecured. Sixty-nine percent of respondents say files and documents are shared using unencrypted email and 58 percent of respondents say they share files using a cloud-based, commercial file-sharing tool. Only 30 percent of respondents say they use encrypted email and 31 percent of respondents use file transfer protocol (FTP).

Both company-assigned and employee-owned mobile devices are used to access and share confidential documents and files. Only 29 percent of respondents say their organization restricts the use of company-assigned mobile devices such as smartphones and tablets from accessing and sharing confidential documents and files with other employees and third parties. Fifty-four percent of respondents say their organization restricts the use of employee-owned (BYOD) mobile devices such as smartphones and tablets to access and/or share confidential documents and files with others.

Audits are rarely conducted, but they do reveal security deficiencies. Only 23 percent of respondents say their organizations conduct an audit to determine if the use and sharing of confidential documents and files are in compliance with regulations and policies. However, 69 percent of respondents say the audits reveal security issues that need to be addressed.

The challenge of plugging the leaks of high value information

Organizations get low scores for their ability to stop a potential data breach by employees and third parties. Only 41 percent of respondents say their organizations are highly effective in preventing the leakage of confidential documents and files by careless employees and 43 percent are highly effective in preventing the leakage of confidential documents and files by third parties such as vendors and business partners.

There is no clear responsibility for securing documents and files with confidential information. According to 37 percent of respondents, no one person in their organization has ultimate authority for ensuring the security of confidential information in documents and files. Chief information officers and end users have responsibility, according to 35 percent of respondents, respectively. Only 18 percent of respondents say the chief information security officer is responsible.

Organizations struggle to determine the appropriate level of confidentiality of documents and files. Only 17 percent of respondents rate their organizations as highly effective in determining the appropriate level of confidentiality of documents and files. Typically, organizations determine confidentiality by data type (71 percent of respondents), policies (65 percent of respondents) or data usage (59 percent of respondents). Only 13 percent of respondents say they determine confidentiality by who has access to the document or by a content management system (16 percent of respondents).

Stopping unauthorized access is a challenge for companies. Only 15 percent of respondents say their organizations are highly effective in setting employee/user permissions to access confidential documents and files and only 17 percent of respondents say they are successful in curtailing the use of unapproved/insecure document and file collaboration tools.

Reverse the insider risk

Company insiders frequently do stupid things with confidential information. According to 78 percent of respondents, employees frequently do not delete confidential documents or files that were no longer needed or required for use and 51 percent of respondents say employees frequently are sharing files and documents not intended for them. Forty-four percent say very often employees are forwarding confidential files or documents to individuals not authorized to receive them.

Organizations are willing to allow workers to have their confidential information on their home computers and devices. Almost half of respondents (48 percent) say they believe there are situations when it is acceptable for employees to transfer or retain confidential documents or files to their home computer and personally owned tablet or smartphone. Surprisingly, a lack of policy enforcement is an acceptable reason to transfer or retain confidential documents or files to a home computer or personally owned mobile device.

Who owns the company’s proprietary and high value information? If an employee, who is a software programmer, develops applications for a client company and then reuses the same source code in projects for other companies, does that employee have some level of ownership in the work and invention? Fifty percent of respondents say they do. However, if the employee does not receive advance permission from the client company to reuse the source code, 42 percent of respondents say this is a serious infraction and 19 percent of respondents say it is a minor infraction.

The unethical use of a competitor’s proprietary information occurs frequently. Forty-seven percent of respondents say they are aware of situations when recently hired employees bring confidential documents from former employers that are a competitor of their organization. Thirty-seven percent of respondents say they believe this happens very frequently (22 percent of respondents) or frequently (15 percent of respondents). However, 45 percent of respondents do not view the use of a competitor’s business confidential information as an infraction against the company.

To access the full report, click here:
http://en.fasoo.com/Ponemon-Risky-Business-How-Company-Insiders-Put-High-Value-Information-at-Risk

Leave a Reply

Your email address will not be published. Required fields are marked *