On Balance

As cyber security technology continues to evolve at breakneck speed, so do the threats businesses face every day. Part of the challenge of this new reality is that the amount of data organizations deal with is growing daily.

The more data companies create – and they create a lot – the more risks there are that data can be compromised. Add the growing complexity and need for data mobility in a modern workplace, and it is a recipe for disaster.

Brett Hansen, Vice president, Endpoint Data Security and Management, Dell

The Dell End-User Security survey, released in April, discovered some revealing facts about how workers around the world approach data security on the job. Globally, the survey of 2,608 professionals who handle confidential data at companies with 250-plus employees, found that 72% of respondents are willing to share confidential, regulated or sensitive data under certain circumstances.

What could cause such a high number of people to share data inappropriately? Are 72% of polled employees careless, or have they simply “gone rogue” without reason?

Of course not. Rather, these are workers who simply face a number of scenarios in their day-to-day jobs in which it makes good business sense to share sensitive data. But how can that be the case?

ROCK AND A HARD PLACE

Today’s workforce is caught between two imperatives: be as productive and efficient as possible on the job, while maintaining the security of company data. Put simply, as data volumes increase, so does the need to access and share that data in different ways on the job. And while workers need to, in theory, maintain a high standard of data security, that is not always the case.

To ease the friction between these competing goals, companies must focus on educating employees and enforcing policies and procedures that secure data wherever they go, without hindering productivity.

Many companies understand the need to protect their information where it is stored, but if it is not also being protected when it is being shared or used, that opens up organizations to the risk of disastrous and expensive breaches.

What is troubling is not so much that employees are sharing data, but how they are going about it. Today’s workforce is more mobile and collaborative than ever, and employees are engaging in risky behaviours not to be malicious, but to get their jobs done.

More than half of surveyed employees (56%) use public cloud services such as Dropbox, Google Drive, iCloud and others for sharing or backing up their work. These are all great services, but used incorrectly and not aligned to IT security protocols, they create major gaps in data security. Similarly, when sharing confidential files with third-party vendors or consultants, nearly half (45%) of respondents report using email, while one-third (31%) say these outside parties have access to their company’s intranet or other internal information system.

In most cases, there are no repercussions for employees sharing data, as security teams may not even be aware of the protocol breach and nothing untoward happens. This lack of immediate action, however, makes it all too easy for employees to dismiss the risks and continue breaking security protocol.

Add to that the concerning finding that even employees who have been educated on the risks of sharing confidential data without following security protocols have not fully “bought into” the consequences that can arise from this behaviour.

To address data security issues, companies must focus on educating employees, and creating and enforcing policies and procedures that secure data wherever they go — all without hindering productivity.

Beyond education, though, organizations must accept that employees really want one thing: to get things completed as quickly and efficiently as possible. Employees are measured by how efficiently they get their jobs done and often have targets to hit. For data to be most effective, it needs to move and be shared.

The solution is to provide tools that do not inhibit employee productivity, but, rather, embrace it, while also still allowing the company to maintain a security data posture that is aligned to its risk.

CANADIAN CONTENT

But what about Canada? Are Canadian workers any more educated and cautious with company data?

It turns out that Canadians taking part in the survey are slightly savvier than workers globally when it comes to data security and safe sharing practices. That said, survey findings also show that Canadian respondents are struggling to adapt to the new digital workforce and how to safely handle data.

In all, 22% of Canadian workers polled say they cut corners on data safety to get their jobs done, while a quarter do not even know when they are doing something wrong.

Fortunately, only 1% of Canadian respondents say they had malicious intentions when conducting unsafe behaviours, compared to 3% globally.

The results are clear: workers around the world now regularly handle and transfer data in unsafe ways, and Canada is no exception.

Even management struggles with how to safely handle data in the workplace: 40% of polled Canadian workers cite direction from management when asked why they share sensitive data under certain circumstances, the most common reason given (others included determining the risk to their companies was low and the potential benefit high, and feeling it would help them do their jobs more efficiently).

It seems that training in data safety needs to happen at almost all levels of business in Canada.

STEADY GROWTH

Despite investment, data breaches are growing year over year. Historically, companies followed the data loss protection method, where no data could be shared outside the corporate network. But with the new digital workforce — where employees can work from home or bring their own devices — this simply is not sustainable.

So in addition to employee carelessness, one of the reasons data breaches occur so frequently is because companies still rely on legacy security technology that is not equipped to deal with today’s advanced ransomware and malware threats. WannaCry recently exposed this vulnerability firsthand when it infected computers around the world.

The future of cyber attacks is directly tied to the future of where data will travel as employees become more and more mobile. The Internet of Things and constant connectivity means that data will be pivotal to more areas of both corporate and personal lives.

As data becomes more vital, the ransoms placed using ransomware will be proportionate to the value of that data. Not only does this mean more opportunities for data to be held hostage, but it potentially raises the dollar value organizations are willing to pay for recovery.

Operational costs for repairing damages

following a cyber attack are also increasing and employers are feeling the impact. Heavily mandated compliance industries such as healthcare, finance, insurance and oil and gas could have fines associated with an end-user attack, not to mention the reputational costs.

To better prevent against cyber attacks, organizations need to strive for higher levels of awareness, enablement and protection simultaneously. This includes doing the following:

• establish a cyber security strategy and practices that are aligned to business strategy and objectives;
• identify critical data, understanding who, how and where it is accessed to accurately define the risks;
• understand the needs of the entire workforce (not just full-time employees), including defining and communicating policies that are aligned to their needs;
• provide regular, practical employee education that covers the why as well as the what; and
• understand that employees will not be able to protect themselves, so it is necessary to market policy and education with technology that focuses on protecting company data, as well as embraces business requirements and the digital workforce.

While the majority of polled employees report feeling it is their responsibility to protect company information, they face hurdles. For example, 21% of survey respondents say security put in place slows down their work and 21% report that they feel it is difficult to keep up with changing security guidelines and policies.

Results further show that organizations have to accept two truths: confidential data will be sent, stored and accessed on a daily basis; and employee training alone is not going to keep corporate information secure.

It is imperative that organizations design their security programs to implement a combination of solutions that address security awareness, enablement and protection among the workforce.

If companies are going to keep their data truly safe amid an ever-evolving threat landscape, clear protocols must be in place.

Further, these protocols must be backed by a realistic understanding of employees’ day-to-day responsibilities, as well as technology that protects sensitive data wherever employees go — whether at rest, in motion or in use.

-Brett Hansen, Vice President, Endpoint Data Security and Management, Dell