There is a gap between IT leaders and employees over data security and ownership that is undermining attempts to stem the growing tide of insider breach incidents, according to new research.
Data security company Egress announced the results of its first Insider Data Breach survey, examining the root causes of employee-driven data breaches, their frequency and impact.
The research was carried out by independent research organization Opinion Matters and incorporated the views of over 500 U.S. and U.K.-based IT leaders, and over 4000 U.S. and U.K.-based employees. The survey also explored how employees and executives differ in their views of what constitutes a data breach and what is acceptable behavior when sharing data.
Key research findings include:
• 79 per cent of IT leaders believe that employees have put company data at risk accidentally in the last 12 months. 61 per cent believe they have done so maliciously.
• 30 per cent of IT leaders believe that data is being leaked to harm the organization. 28 per cent believe that employees leak data for financial gain.
• 92 per cent of employees say they haven’t accidentally broken company data sharing policy in the last 12 months; 91 per cent say they haven’t done so intentionally.
• 60 per cent of IT leaders believe that they will suffer an accidental insider breach in the next 12 months; 46 per cent believe they will suffer a malicious insider breach.
• 24 per cent of employees who intentionally shared company data took it with them to a new job.
• 29 per cent of employees believe they have exclusive ownership of the data they have worked on.
• 55 per cent of employees that intentionally shared data against company rules said their organization didn’t provide them with the tools needed to share sensitive information securely.
Egress CEO and Co-founder Tony Pepper said the survey highlights a perception gap between IT leaders and employees over the likelihood of insider breaches.
He said that this is a major challenge for businesses as insider data breaches are viewed as frequent and damaging occurrences, of concern to 95 per cent of IT leaders, yet the vectors for those breaches – employees – are either unaware of, or unwilling to admit, their responsibility.
Asked to identify what they believe to be the leading causes of data breaches, IT leaders were most likely to say that employee carelessness through rushing and making mistakes was the reason (60 per cent). A general lack of awareness was the second-most cited reason (44 per cent ), while 36 per cent indicated that breaches were caused by a lack of training on the company’s security tools.
However, 30 per cent believe that data is being leaked to harm the organization and 28 per cent say that employees leak data for financial gain.
From the employee perspective, of those who had accidentally shared data, almost said they had been rushing, 30 per cent blamed a high-pressure working environment and 29 per cent said it happened because they were tired.
The most frequently cited employee error was accidentally sending data to the wrong person (45 per cent ), while 28 per cent had been caught out by phishing emails. Concerningly, over one-third of employees (35 per cent ) were simply unaware that information should not be shared, proving that IT leaders are right to blame a lack of awareness and pointing to an urgent need for employee education around responsibilities for data protection.
“The results of the survey emphasize a growing disconnect between IT leaders and staff on data security, which ultimately puts everyone at risk. While IT leaders seem to expect employees to put data at risk – they’re not providing the tools and training required to stop the data breach from happening. Technology needs to be part of the solution. By implementing security solutions that are easy to use and work within the daily flow of how data is shared, combined with advanced AI that prevents data from being leaked, IT leaders can move from minimising data breaches to stopping them from happening in the first place,” Pepper said.
The Egress Insider Data Breach survey found confusion among employees over data ownership. 29 per cent believed that the data they work on belongs to them alone, not the organization. Moreover, 60 per cent of employee respondents didn’t recognize that the organization is the exclusive owner of company data, instead ascribing ownership to departments or individuals. This was underlined by the fact that, of those who admitted to sharing data intentionally, one-in-five (20 per cent) said they did so because they felt it was theirs to share.
24 per cent of employees who shared data intentionally did so when they took it with them to a new job, while 13 per cent did so because they were upset with their organization. However 55 per cent said they shared data insecurely because they hadn’t been given the tools necessary to share it safely.
The survey also found that attitudes towards data ownership vary between generations, with younger employees less aware of their responsibilities to protect company data.
Tony Pepper adds: “As the quantity of unstructured data and variety of ways to share it continue to grow exponentially, the number of insider breaches will keep rising unless the gulf between IT leaders and employee perceptions of data protection is closed. Employees don’t understand what constitutes acceptable behavior around data sharing and are not confident that they have the tools to work effectively with sensitive information. The results of this research show that reducing the risk of insider breaches requires a multi-faceted approach combining user education, policies and technology to support users to work safely and responsibly with company data.”
