Ponemon Institute is pleased to present the results of Risky Business: How Company Insiders Put High Value Information at Risk, sponsored by Fasoo. The purpose of this study is to understand what activities put business-critical information at risk in the workplace.

Based on the findings of this research, employees and other insiders often lack the information, conscientiousness and guidance needed to make intelligent decisions about the information they have access to and share. In fact, companies are more confident they can stop external attackers from accessing confidential information than their own employees and contractors.

We surveyed 637 IT and IT security practitioners who are familiar with their organization’s approach to securing confidential information contained in documents and files. All organizations represented in this research use document and file-level security tools. In the context of this study, high value information could be trade secrets, new product designs, merger and acquisition activity, confidential business and financial information, and employee information. The loss or theft of such information would be catastrophic for a company and affect its sustainability.

Safeguarding high value information in organizations is a two-way street. Employees need to be responsible and follow data protection policies and safeguards in place. In turn, companies need to have the tools, expertise and governance practices to protect sensitive and confidential information.

According to the study, the majority of organizations represented in this research (56 percent of respondents) say they do not educate employees on the protection of documents and files containing confidential information. In addition, most companies do not conduct an audit to determine if the use and sharing of confidential documents and files are in compliance with regulations and policies. Those companies that did conduct an audit discovered deficiencies in their document or file security practices.

Very few organizations are prepared to stop the leakage of high value information. Only 27 percent of respondents say they have the ability to restrict the sharing of confidential documents and files among employees and only 36 percent believe they can restrict the sharing of files with third parties. Similarly, 28 percent of respondents say their organizations have the ability to manage and control employee access to confidential documents and files.

The following are key takeaways from this report according to these topics:

 High value information is at risk
 The challenge of plugging the leaks of high value information
 Reverse the insider risk

High value information is at risk

Company insiders cause data breaches. The primary cause of data breaches experienced by companies in this study was the careless employee (56 percent of respondents) followed by lost or stolen devices (37 percent of respondents) or system glitches (28 percent of respondents). In contrast, only 22 percent of respondents say external attackers or malicious/criminal insiders (17 percent of respondents) caused the breach.

Companies lack the technologies to detect company insider risk. Sixty-eight percent of respondents say they do not know where their confidential information is located and 61 percent of respondents say their organizations do not have visibility into what confidential documents and files are used and/or shared among employees.

Technologies focus on the perimeter and not on preventing access to unencrypted files. The primary enabling security technologies used in the document and file collaboration environment are identity and access management tools or two-factor authentication. Far fewer organizations are using technologies to manage encryption keys so only the business can access unencrypted files. Enterprise file sharing solutions and technologies that enable organizations to obtain data location when using cloud services are not used frequently .

The sales department and human resources are most likely to put high value information at risk. The sales function and human resources pose the greatest risk to both structured and unstructured information assets . C-level executives also pose great risk to unstructured information assets. The research and development function is the most careful in protecting both structured and unstructured data.

Employees use document and file sharing applications vulnerable to data leakage. Fifty-eight percent of respondents say employees use free versions of consumer file sync and share applications. Only 36 percent of respondents say employees use enterprise-grade file sharing on private cloud.

Education and policies are not in place to provide guidance on appropriate access and sharing practices. Fifty-six percent of respondents say their organizations do not educate employees on the protection of documents and files containing confidential information and 50 percent of respondents say they do not have a policy for the acceptable use of document and cloud or Web-based file sharing applications by employees.

The sharing of files and documents is unsecured. Sixty-nine percent of respondents say files and documents are shared using unencrypted email and 58 percent of respondents say they share files using a cloud-based, commercial file-sharing tool. Only 30 percent of respondents say they use encrypted email and 31 percent of respondents use file transfer protocol (FTP).

Both company-assigned and employee-owned mobile devices are used to access and share confidential documents and files. Only 29 percent of respondents say their organization restricts the use of company-assigned mobile devices such as smartphones and tablets from accessing and sharing confidential documents and files with other employees and third parties. Fifty-four percent of respondents say their organization restricts the use of employee-owned (BYOD) mobile devices such as smartphones and tablets to access and/or share confidential documents and files with others.

Audits are rarely conducted, but they do reveal security deficiencies. Only 23 percent of respondents say their organizations conduct an audit to determine if the use and sharing of confidential documents and files are in compliance with regulations and policies. However, 69 percent of respondents say the audits reveal security issues that need to be addressed.

The challenge of plugging the leaks of high value information

Organizations get low scores for their ability to stop a potential data breach by employees and third parties. Only 41 percent of respondents say their organizations are highly effective in preventing the leakage of confidential documents and files by careless employees and 43 percent are highly effective in preventing the leakage of confidential documents and files by third parties such as vendors and business partners.

There is no clear responsibility for securing documents and files with confidential information. According to 37 percent of respondents, no one person in their organization has ultimate authority for ensuring the security of confidential information in documents and files. Chief information officers and end users have responsibility, according to 35 percent of respondents, respectively. Only 18 percent of respondents say the chief information security officer is responsible.

Organizations struggle to determine the appropriate level of confidentiality of documents and files. Only 17 percent of respondents rate their organizations as highly effective in determining the appropriate level of confidentiality of documents and files. Typically, organizations determine confidentiality by data type (71 percent of respondents), policies (65 percent of respondents) or data usage (59 percent of respondents). Only 13 percent of respondents say they determine confidentiality by who has access to the document or by a content management system (16 percent of respondents).

Stopping unauthorized access is a challenge for companies. Only 15 percent of respondents say their organizations are highly effective in setting employee/user permissions to access confidential documents and files and only 17 percent of respondents say they are successful in curtailing the use of unapproved/insecure document and file collaboration tools.

Reverse the insider risk

Company insiders frequently do stupid things with confidential information. According to 78 percent of respondents, employees frequently do not delete confidential documents or files that were no longer needed or required for use and 51 percent of respondents say employees frequently are sharing files and documents not intended for them. Forty-four percent say very often employees are forwarding confidential files or documents to individuals not authorized to receive them.

Organizations are willing to allow workers to have their confidential information on their home computers and devices. Almost half of respondents (48 percent) say they believe there are situations when it is acceptable for employees to transfer or retain confidential documents or files to their home computer and personally owned tablet or smartphone. Surprisingly, a lack of policy enforcement is an acceptable reason to transfer or retain confidential documents or files to a home computer or personally owned mobile device.

Who owns the company’s proprietary and high value information? If an employee, who is a software programmer, develops applications for a client company and then reuses the same source code in projects for other companies, does that employee have some level of ownership in the work and invention? Fifty percent of respondents say they do. However, if the employee does not receive advance permission from the client company to reuse the source code, 42 percent of respondents say this is a serious infraction and 19 percent of respondents say it is a minor infraction.

The unethical use of a competitor’s proprietary information occurs frequently. Forty-seven percent of respondents say they are aware of situations when recently hired employees bring confidential documents from former employers that are a competitor of their organization. Thirty-seven percent of respondents say they believe this happens very frequently (22 percent of respondents) or frequently (15 percent of respondents). However, 45 percent of respondents do not view the use of a competitor’s business confidential information as an infraction against the company.

To access the full report, click here:
http://en.fasoo.com/Ponemon-Risky-Business-How-Company-Insiders-Put-High-Value-Information-at-Risk

How bad has the ransomware problem become?  The state auditor of Ohio held a press conference yesterday because local government agencies keep falling for ransomware attacks. And a firm that tracks domain activity found a 3,500% increase in ransomware-related domain name registrations in the past quarter.  Hacker love to cut and paste, so imitation is the surest sign that something is working.

Recall the high-profile, alarming ransomware attacks earlier this year on hospitals.  These “your money or your data” crimes can do a lot of damage quickly, and confused organizations brought to their knees by missing mission-critical data often pay up.  Of course, smaller organization with less IT resources are at greater risk.

Here’s what’s going on in Ohio.  Auditor of State Dave Yost issued a warning on Thrusday to treasurers, fiscal officers and others responsible for spending public money that cybercrimes targeting government are “on the rise.” And he offered these examples.

• An investigation continues in an eastern Ohio county after the county’s court data was attacked by ransomware on May 31. A virus had encrypted the court’s data and hackers demanded $2,500 for the key to unlock the information. Because a recent copy of the data wasn’t available, the county agreed to pay the $2,500. (Note: Because the transaction is ongoing, we are not identifying the county.)
• A similar ransomware attempt was made April 5 in Vernon Township (Clinton County). That cyberattack did not result in the payment of any ransom because the township’s data was backed up.
• In Peru Township (Morrow County), the township fiscal officer’s computer began screeching on March 9 before a notice appeared on the screen advising that a solution was available by calling an 800 number. The township paid $200 to stop the attack.

In separate, non-ransomware incidents,  an employee at Big Walnut Local School District in Delaware County was tricked into issuing a check for $38,520 to a hacker. The money was recovered before it was lost. The Madison County Agricultural Society wasn’t as lucky; it was scammed out of $60,491 through someone posing as the IRS, collecting back taxes.

“We’ve all seen and heard about the criminals who try to steal our personal funds. These scammers would like nothing more than to get their sticky fingers on our tax dollars, too,” Yost said. “We need to be vigilant because they are becoming increasingly sophisticated in how they attempt to steal money through the internet.”

Yost is right.  Network security firm Infoblox reported last week that hackers were falling over each other to set up websites related to ransomware scams.  The firm tracks domain registrations as a way of monitoring the Internet for threats, and it says it found a 35-fold increase in newly observed ransomware domains from the fourth quarter of 2015.

“There is an old adage that success begets success, and it seems to apply to malware as in any other corner of life.
In the first quarter of 2016, there were numerous stories in the news about successful ransomware attacks on both
companies and consumers,” the firm said.  “We believe the larger cybercriminal community has taken notice.”

According to the FBI, ransomware victims reported costs of $209 million in the first quarter, compared to $24 million for all of 2015.

“Unless and until companies figure out how to guard against ransomware – and certainly not reward the attack – we expect it to continue its successful run,” Infoblox said.

Yost said all the crimes began with some variation of phishing, and urged all government employees to be on alert.

“The internet is the tool of choice for criminals, and we need to make it as difficult as possible for thieves to access community treasure chests,” Yost said.

The best way to do that, as Vernon Township showed above, is to keep good backups.

How bad has the ransomware problem become?  The state auditor of Ohio held a press conference yesterday because local government agencies keep falling for ransomware attacks. And a firm that tracks domain activity found a 3,500% increase in ransomware-related domain name registrations in the past quarter.  Hacker love to cut and paste, so imitation is the surest sign that something is working.

Recall the high-profile, alarming ransomware attacks earlier this year on hospitals.  These “your money or your data” crimes can do a lot of damage quickly, and confused organizations brought to their knees by missing mission-critical data often pay up.  Of course, smaller organization with less IT resources are at greater risk.

Here’s what’s going on in Ohio.  Auditor of State Dave Yost issued a warning on Thrusday to treasurers, fiscal officers and others responsible for spending public money that cybercrimes targeting government are “on the rise.” And he offered these examples.

• An investigation continues in an eastern Ohio county after the county’s court data was attacked by ransomware on May 31. A virus had encrypted the court’s data and hackers demanded $2,500 for the key to unlock the information. Because a recent copy of the data wasn’t available, the county agreed to pay the $2,500. (Note: Because the transaction is ongoing, we are not identifying the county.)
• A similar ransomware attempt was made April 5 in Vernon Township (Clinton County). That cyberattack did not result in the payment of any ransom because the township’s data was backed up.
• In Peru Township (Morrow County), the township fiscal officer’s computer began screeching on March 9 before a notice appeared on the screen advising that a solution was available by calling an 800 number. The township paid $200 to stop the attack.

In separate, non-ransomware incidents,  an employee at Big Walnut Local School District in Delaware County was tricked into issuing a check for $38,520 to a hacker. The money was recovered before it was lost. The Madison County Agricultural Society wasn’t as lucky; it was scammed out of $60,491 through someone posing as the IRS, collecting back taxes.

“We’ve all seen and heard about the criminals who try to steal our personal funds. These scammers would like nothing more than to get their sticky fingers on our tax dollars, too,” Yost said. “We need to be vigilant because they are becoming increasingly sophisticated in how they attempt to steal money through the internet.”

Yost is right.  Network security firm Infoblox reported last week that hackers were falling over each other to set up websites related to ransomware scams.  The firm tracks domain registrations as a way of monitoring the Internet for threats, and it says it found a 35-fold increase in newly observed ransomware domains from the fourth quarter of 2015.

“There is an old adage that success begets success, and it seems to apply to malware as in any other corner of life.
In the first quarter of 2016, there were numerous stories in the news about successful ransomware attacks on both
companies and consumers,” the firm said.  “We believe the larger cybercriminal community has taken notice.”

According to the FBI, ransomware victims reported costs of $209 million in the first quarter, compared to $24 million for all of 2015.

“Unless and until companies figure out how to guard against ransomware – and certainly not reward the attack – we expect it to continue its successful run,” Infoblox said.

Yost said all the crimes began with some variation of phishing, and urged all government employees to be on alert.

“The internet is the tool of choice for criminals, and we need to make it as difficult as possible for thieves to access community treasure chests,” Yost said.

The best way to do that, as Vernon Township showed above, is to keep good backups.