Leak of sensitive data in companies is a recurrent topic nowadays and deserves to be intensively researched, due to its serious nature and not because of a trend. The rapid growth in unstructured data and the various ways for employees to share that data puts organisations at high risk of cybersecurity breaches. However, as it turns out, there is another factor to be taken into account – the way employees and CIOs perceive the term ‘sensitive data’. A new study by the independent British research organisation Opinion Matters, sponsored by Egress, juxtaposes IT leaders’ and employees’ perspectives and reveals major discrepancies. The report called “Insider Data Breach Survey 2019” is an extension to Opinion Matters’ study we told you about – concerning the up-to-date trends and causes of accidental data breaches in the USA.
The survey gathered responses from 252 U.S. and 253 U.K.-based IT leaders (CIOs, CTOs, CISOs and IT Directors) and 2004 U.S. and 2003 U.K.-based employees to assess the root causes of these employee-driven data breaches, as well as the frequency and impact of such instances.
Understandably, almost all IT leaders (95%) consider insider security threats as a danger to their organization. In line with many other reports and analyses, a great part of CIOs (79%) believe employees have put company data at risk accidentally in the last 12 months. It is surprising though that a quite a lot – 61% – think employees have put company data at risk maliciously.
- 30% believe that internal data breaches result from employees leaking data to harm the organization
- 28% believe employees are stealing data for financial gain
Even more surprising is the main concern of the IT leaders who think their employees have intentionally conducted data breaches. According to the report, 31% of managers fear mostly that the leaked data will benefit competitors. Employees taking data to a new job, leaking data to cybercriminals and sharing data with personal systems were the second most commonly cited (21%).
But can we make objective conclusions based solely on a survey completed by employers? “Insider Data Breach Survey 2019” reveals insights from what employees think as well.
The results show a significant disconnect between the IT leader and employee perspectives of insider data breaches.
- 94% of U.S. employees and 87% of U.K. employees claim they have not intentionally broken company data sharing policies (compared to the 61% of IT leaders convinced of malicious breach)
- 95% of U.S. and 90% of U.K. employees believe they have never accidentally caused a data breach.
Researchers comment the results:
“This perception gap points to a major challenge for businesses. Insider data breaches are viewed as frequent and damaging occurrences that are of major concern to 95% of IT leaders, yet the vectors for those breaches – employees – are either unaware of, or unwilling to admit, their responsibility. While the majority of employees were hesitant to admit to being the cause of a data breach, those that did own up to intentionally sharing sensitive data showed a worryingly blasé attitude towards company information.”
Also, if we have a closer look at the results (as proper analysis requires), 55% of employees who shared data intentionally claim they did so because they didn’t have the security tools necessary to share information safely. This does not necessarily mean the fault is solely at the employee. IT leaders first and foremost carry the responsibility to provide their employees with tools to share and access data securely.
To make things even more complicated – the study shows that 1 in 5 employees believe that the data they work with is their own and they have the right to do whatever they want with it. This misconception shows why a greater percentage of IT leaders think their employees cause leak of data than the employees themselves. Some of the latter just think what they do is perfectly fine.
It seems training is a vital part of all companies work. Whether it comes to using tools to keep data safe or whether basic information is provided (such as who owns company’s data), the dialogue between managers and employees should be an ongoing and valued process.