There are some significant differences between company CIOs and company employees as to the cause of internal cyber-breaches, aside from the common acknowledgement that it certainly occurs. But a recent survey sponsored by Egress has demonstrated two other important facts. Firstly, there has been little previous investigation of why internal haemorrhaging of data occurs, and secondly that there are still many more questions on this area of corporate cyber-weakness than there are answers.
These two factors are never more clearly displayed by the nature of the answers given in the survey, where perception and supposition play an important part in much of the evidence presented. For example, it shows that some 79% of IT leaders believe that employees have put company data at risk accidentally in the last 12 months, while 61% believe they have done so maliciously.
Furthermore, 30% of IT leaders believe that data is being leaked to harm the organisation, and 28% believe that employees leak data for financial gain. Approaching two-thirds of IT leaders (60%) believe that they will suffer an accidental insider breach in the next 12 months, while 46% believe they will suffer a malicious insider breach.
Four conclusions, each pivoting on the word 'believe'. This is not a criticism of the survey or of Opinion Matters, which undertook the poll. It is rather an important measure of the lack of respondent knowledge as to whether it is happening, by how much it is happening, or even why it is happening?
Some of the responses from employees give some clues, and seem to demonstrate that some of the problems are not security-related – at least not with any malicious intent – but rather highlight operational deficiencies within companies that can lead to accidental security weaknesses and possible breaches. This, of course, is where Egress gets its chance to obliquely highlight its vested interest, given that it specialises in managing and protecting the movement of unstructured data, especially between partnering companies so that compliance requirements are met.
For example, 92% of employees say they haven’t accidentally broken company data sharing policy in the last 12 months, and 91% say they haven’t done so intentionally. However, some 23% of employees who intentionally shared company data took it with them to a new job, and more, 29%, believe they have ownership of the data they have worked on. This raises some interesting areas for business owners, indicating that they have maybe not made clear some aspects of employment contract terms for full time employees.
What if you’re supposed to share data?
But it also raises the issue of the common practice of using contractors and short term employees, and it can be difficult for any employee, let alone a short term contractor, to unlearn what they have seen. This is as much a business practice as culture security risk.
Another business practice factor that emerged is the increasingly common contradiction that businesses place on staff, where they are expected to share data with collaborating partner businesses but, because no appropriate tools are provided for the task, they are obliged to break company rules to achieve the objective. Over half of the employees said this requirement had been forced on them. This is where techniques ranging from sharing by swapping USB sticks through to opening shared DropBox folders end up being used, with both sensitive data and overall cyber-security being put at risk.
The survey goes on to show that this leads to conditions where operational expectations put onto staff create situations where the either inadvertently create security weaknesses, or are indeed obliged to create them through lack of support or investment.
For example, while 30% of business managers believe (that word again) that data is being leaked to harm the company, and 28% say it is done to deliberately harm the business, employees had a different view of it. Some 30% of that base complained that they are being put under high pressure in the work environment, while 29% said problems occurred because they were tired. This led to the classic problems of sending data to the wrong person, or staff just losing concentration and getting caught out by a phishing email.
What this survey does show up is the difference in perception of the problem of internal security leaks between employers and employees. Perhaps there is a degree of inevitability about that, but it seems clear that there is plenty of scope for employers to put more effort into getting staff on side with more – quite possibly much more – education and training of staff. This needs to be on several fronts, such as what is in the staff contract and what it means through to the laws that apply to IP copyright. There is a need for practical exercises in spotting and managing malicious attempts at incursions. And yes, there also needs to be time devoted to teaching staff methods to de-stress themselves.
That last point, of course, also then means that company managements have to understand the stresses its staff are sometimes (often?) working under and the notion that they may not have all the right tools and/or knowledge of all the latest skills that apply to their contribution to the business.
In particular employers may want their staff to work with business partners without being clear (either to their staff or in their own minds) just what may be involved in terms of sharing sensitive data. And if the employers are not clear about that it will be very difficult for employees to make those decisions on their own.
Given that another survey, that one from US-based CompTIA, recently suggested that human error accounts for 52% of the root causes of security breaches, one of the key steps that all businesses now need to take is to raise the level of business-wide knowledge there is about the issue together with an acknowledgement that it is a problem shared equally by employers and employees.
First and foremost there needs to be a change to a no blame culture. Human error is inevitable, so the best way to help manage it is not to have staff in fear of their jobs of they `fess-up. That way, the why/what/how/when of a potential breach-causing error can be quickly identified, analysed and defensive measures – both in immediate terms of addressing the potential and the longer term changes in procedures, education and change of security tools – can be taken as soon as possible.
One more reminder of the fact that, while there are employees who, for whatever reason, will take a malicious view of their employer’s data, the majority of the risk from internal data leakage stems from the fudge-and-fumble of corporate cultures (or the lack of positive ones) that exist between employer and employee. What this survey shows above all else is that there is still a need for both sides to work together, rather than against each other.