Survey shows IT chief/employee security gap

Written by Peter Walker
03/04/19

New research has revealed that 79 per cent of IT leaders believe that their employees have put company data at risk accidentally in the last 12 months – with 61 per cent believing they have done so maliciously.

This is according to a survey commissioned by data security company Egress and carried out among 250 US and UK-based IT leaders - CIOs, CTOs, CISOs and IT directors - and over 2000 US and UK-based employees.

The research highlights a fundamental gulf between IT leaders and employees over data security and ownership that is undermining attempts to stem the growing tide of insider breach incidents.

It found that 30 per cent of IT leaders believe that data is being leaked to harm the organisation, with 28 per cent stating that employees leak data for financial gain.

However, 92 per cent of employees said they haven’t accidentally broken company data sharing policy in the last 12 months, and 91 per cent said they haven’t done so intentionally.

Nonetheless, 60 per cent of IT leaders believe that they will suffer an accidental insider breach in the next 12 months, while 46 per cent believe they will suffer a malicious insider breach.

Drilling down into employee misconceptions, 29 per cent believe they have ownership of the data they have worked on, while 23 per cent who intentionally shared company data took it with them to a new job.

A further 55 per cent of employees that intentionally shared data against company rules said their organisation didn’t provide them with the tools needed to share sensitive information securely.

Asked to identify what they believe to be the leading causes of data breaches, IT leaders were most likely to say that employee carelessness through rushing and making mistakes was the reason (60 per cent). A general lack of awareness was the second-most cited reason (44 per cent), while 36 per cent indicated that breaches were caused by a lack of training on the company’s security tools.

From the employee perspective, of those who had accidentally shared data, almost half (48 per cent) said they had been rushing, 30 per cent blamed a high-pressure working environment and 29 per cent said it happened because they were tired.

The most frequently cited employee error was accidentally sending data to the wrong person (45 per cent), while 27 per cent had been caught out by phishing emails. Over one-third of employees (35 per cent) were simply unaware that information should not be shared, proving that IT leaders are right to blame a lack of awareness and pointing to an urgent need for employee education around responsibilities for data protection, according to Egress.

The company’s chief executive and co-founder Tony Pepper noted that while IT leaders seem to expect employees to put data at risk, they’re not providing the tools and training required to stop the data breach from happening.

“By implementing security solutions that are easy to use and work within the daily flow of how data is shared, combined with advanced AI that prevents data from being leaked, IT leaders can move from minimising data breaches to stopping them from happening in the first place.”

The survey also found that attitudes towards data ownership vary between generations, with younger employees less aware of their responsibilities to protect company data.

Pepper added: “As the quantity of unstructured data and variety of ways to share it continue to grow exponentially, the number of insider breaches will keep rising unless the gulf between IT leaders and employee perceptions of data protection is closed.

“Employees don’t understand what constitutes acceptable behaviour around data sharing and are not confident that they have the tools to work effectively with sensitive information.”