Employees and CIOs Can't Agree on Who Is to Blame for the Constant Torrent of Insider Data Breaches
Far too often, when a large organization is hit by a data breach, it's quick to announce that an investigation is ongoing and that its security specialists, along with outside experts and law enforcement agents will try to do everything they can to find out who is responsible for the incident. People and organizations are so focused on finding out who's done it sometimes that they forget what their real priority should be – learning how many people were affected and finding out what can be done to protect their data and privacy.
A thorough investigation is nevertheless a vital part of the response to a cybersecurity incident. To prevent future data leaks, organizations must find out what happened and draw all the necessary conclusions.
We're seeing more and more breaches where data gets leaked with no outside help. In such cases, finding out where the mistake was made is even more important. Unfortunately, a survey commissioned by security company Egress shows that more often than not, this is far more difficult than it seems.
IT leaders and employees interviewed in an attempt to find out who is responsible for the state of data security
The report is called Insider Data Breach 2019, and as its name suggests, it focuses on data security incidents that happen without interference from hackers. The research was conducted by Opinion Matters and involved 500 IT leaders (Chief Information Officers) and just over 4,000 employees in the US and the UK.
The respondents were asked various questions regarding the way their employer handles data. They told researchers whether or not the companies they work for have suffered a breach recently and whether or not they expect one in the future. They gave opinions on who is responsible for what and whether the procedures and policies are as clearly stated as they should be. It turns out that there's an enormous abyss between what IT leaders and regular employees think.
Nobody seems to agree on anything
It looks like CIOs aren't terribly confident in employees' ability to keep information secure. A whopping 95% of them think that insiders can really put their organization's data at risk. In their minds, they have a good reason for this.
79% of the interviewed IT leaders believe that during the previous year, employees have put company information at risk, and 61% think that they have done so deliberately. 60% of the interviewed CIOs believe that their organizations will suffer a data breach of some sort during the next twelve months, and almost half (46%) think that the breach will be malicious.
When lower-level employees get to answer the questions, however, things look very different. More than 90% of them say that they have never broken their organization's policy when it comes to processing information. And of those that do admit to sharing data insecurely, more than half claim that they did it because they weren't given the right tools to do it properly.
In other words, the blame is tossed around like a hot potato, and at the same time, the never-ending stream of data breaches shows that the situation is far from ideal. Is there a way out of it?
Securing company data should be a coordinated process
Keeping business information secure in this day and age is an ongoing, complicated process that depends on many different people, which means that when things go wrong, it's often difficult to point the finger at a single person and say "It's their fault". The fact of the matter is, everyone, from C-level employees right down to the person copy-pasting information from one database to another, must be fully aware of how important data is and what the consequences of losing it are.
CIOs must work with lower-level workers to create policies that protect the data and ensure a smooth workflow at the same time. Employees must be taught how to make the best of these policies, and crucially, they should be told what could happen if they don't stick to them.
Unfortunately, given the wide gap in the figures quoted in Egress' Insider Data Breach 2019 report, predicting a significant improvement in the near future would be little more than wishful thinking.