Employees—not cyber-criminals—pose the biggest threat to companies today when it comes to data breaches and data loss, according to a recent report.
The study of 1,100 IT security professionals from the United States, United Kingdom, and Germany conducted by the Ponemon Institute shines a spotlight on the escalating risk posed by ungoverned file-sharing practices among employees. According to the report, 61 percent of respondents confessed to engaging in at least one of the following practices on a regular basis:
Sent files or documents to unauthorized individuals outside the organization;
Used their personal file-sharing apps in the workplace;
Shared files through unencrypted e-mail; or
Failed to delete confidential documents or files as required by company policy.
“Data leakage and loss from negligent file sharing is now just as significant a risk as data theft,” Larry Ponemon, chairman of the Ponemon Institute, says. Furthermore, the actual numbers of employees that engage in risky and ungoverned file sharing practices is “likely even worse” than the results indicate, he says, given that these findings highlight just a small sampling of companies.
Even as employees are engaging in negligent file-sharing, many IT security professionals believe their company lacks clear visibility into employees’ use of cloud-based file-sharing applications—such as Dropbox, Box, SharePoint, and more—as cited by 49 percent of respondents. Another 51 percent admitted that they’re not convinced their companies have the ability to manage and control user access to sensitive documents and how they are shared.
“Nobody really understands how much data is leaving the organization, and there are no controls to manage that,” says Daren Glenister, chief technology officer at Intralinks. A lot of companies might believe they have controls in place, “but, in reality, data is hemorrhaging out of the organization,” he adds.
Losing the Battle
Even among companies that have policies in place governing the use of file sharing, such policies are not effectively being communicated to employees. According to the report, for example, 52 percent of IT security professionals said their companies have a policy on the adoption and use of cloud-based file-sharing applications, but less than half (46 percent) said they provide annual training on the risk of data loss and data theft. Another 31 percent of respondents said they’re unsure if such training exists at all.
“Data leakage and loss from negligent file sharing is now just as significant a risk as data theft.”
Larry Ponemon, Chairman, Ponemon Institute
Adding to this risk is that sensitive company information is being shared outside the company with external parties like business partners, contractors, vendors, and other stakeholders. Sharing documents without privilege and without control “potentially poses the highest risk” to companies, Ponemon says.
On account of the expanded use of document sharing beyond the corporate firewall, IT arguably is losing all control over the use of company data. “A lot of companies are installing commercial-grade file sync-and-share tools because of their ease-of -use, but there is no security around that,” Glenister says.
While 54 percent of respondents said their organization’s IT department is involved in the adoption of new technologies for end users—such as cloud, mobile, and Big Data analytics—they don’t always have final say on how those technologies are used. Their ability to control the risk of unsecured file sharing is diminished, for example, by the increasing influence that business units have in how those file sharing and collaboration tools are used.
Nearly half of respondents, for example, say the chief information security officer or chief information officer has ultimate authority and responsibility for securing document collaboration and file-sharing activities. Many file-sharing applications, however, are being used by various business functions without the IT department’s approval or knowledge, the report stated.
As a result, one of the biggest hurdles facing chief information officers today is how to regain control of the company’s most sensitive information, without sacrificing the ease-of-use that employees want and that the business demands, Glenister says. “You can’t have usability without security,” he says.
The report also analyzed the differences in file-sharing practices between regulated and unregulated industries. “Regulatory pressures on organizations are an important factor,” Ponemon concludes.
Companies regulated by specific data protection legislation analyzed in the report include financial services, healthcare, energy and utilities, life sciences, and communications. Companies not regulated by industry-specific data protection laws include retail, technology, consumer products, transportation, hospitality, entertainment and media, agriculture and food services, and defense and aerospace.
The Ponemon Institute polled more than 1,000 IT and IT security practitioners on their companies’ ability to manage file-sharing practices. See how they ranked that ability below.
In the chart below, respondents to the Ponemon Institute survey were asked to rank what kind of policies their companies have for the secure use of file sharing applications and training programs.
Source: Ponemon Institute.
The results were fairly consistent if not surprising: Regulated industries overall have more confidence in the oversight and control of their filing-sharing practices than the unregulated industries. The largest difference between the two groups concerned the existence of a clear policy and the ability to manage and control user access to sensitive documents.
According to the report, 57 percent of respondents in the regulated industries felt confident they have a clear policy for the adoption and use of cloud-based file-sharing applications, compared to 46 percent of the respondents in unregulated industries. Furthermore, 54 percent of respondents in the regulated industries said they have the ability to manage and control user access to sensitive documents and how they are shared, compared to 45 percent in unregulated industries.
Because so many of these problems occur on account of negligent acts by employees, companies can help protect their data by practicing basic blocking and tackling, Ponemon says. He recommends the following measures:
Implement a clear policy for the adoption and use of cloud-based file-sharing applications;
Establish regular training and awareness programs so that employees are aware of the risk of data loss and data theft;
Conduct regular audits and assessments to ensure document sharing and collaboration practices are in compliance with regulations;
Centralize ultimate authority and responsibility for securing document collaboration and file-sharing activities with subject-matter experts, namely IT security practitioners; and
Assign accountability for data loss when such instances occur.
As it stands right now, 64 percent of respondents admit their company has not conducted an audit or assessment to determine if document and file-sharing activities are in compliance with laws and regulations, and another six percent said they’re unsure.
Another important step to reduce the risk of the company’s sensitive data being compromised is to deploy access management tools to manage and control user access to sensitive documents and how they are shared. Many software providers, including Intralinks, offer solutions that protect the data itself so that every document is encrypted.
“The fundamental shift that needs to occur is that those controls need to be in the document itself, where content is the new perimeter,” Glenister says. You have to be able to control the content wherever it is and on whatever device it resides, he says.
When those controls are not in place, often what happens is an employee leaks data and IT doesn’t find out until it’s too late, “or they never find out at all,” Ponemon says. So getting security involved and making sure they’re knowledgeable and have visibility into employees’ use of filing-sharing applications is very important, he says.
Companies need to take steps to understand how their sensitive data is being shared and distributed, and then adequately protect data wherever it resides—and that requires a combination of good corporate governance, regular training, effective process controls, and the adoption of automated technology. Without these measures in places, companies will continue to experience data breaches, not to mention the resulting reputational damage and regulatory risks.