CIOs and employees differ on data ethics, ownership and root causes of insider breaches
People-centric data security company Egress today announced the results of its first Insider Data Breach survey, examining the root causes of employee-driven data breaches, their frequency and impact. The research highlights a fundamental gulf between IT leaders and employees over data security and ownership that is undermining attempts to stem the growing tide of insider breach incidents.
The research was carried out by independent research organisation Opinion Matters and incorporated the views of over 250 U.S. and U.K.-based IT leaders (CIOs, CTOs, CISOs and IT directors), and over 2000 U.S. and U.K.-based employees. The survey also explored how employees and executives differ in their views of what constitutes a data breach and what is acceptable behaviour when sharing data.
Key research findings include:
79% of IT leaders believe that employees have put company data at risk accidentally in the last 12 months. 61% believe they have done so maliciously.
30% of IT leaders believe that data is being leaked to harm the organisation. 28% believe that employees leak data for financial gain.
92% of employees say they haven’t accidentally broken company data sharing policy in the last 12 months; 91% say they haven’t done so intentionally.
60% of IT leaders believe that they will suffer an accidental insider breach in the next 12 months; 46% believe they will suffer a malicious insider breach.
23% of employees who intentionally shared company data took it with them to a new job.
29% of employees believe they have ownership of the data they have worked on.
55% of employees that intentionally shared data against company rules said their organisation didn’t provide them with the tools needed to share sensitive information securely.
The survey results highlight a perception gap between IT leaders and employees over the likelihood of insider breaches. This is a major challenge for businesses: insider data breaches are viewed as frequent and damaging occurrences, of concern to 95% of IT leaders, yet the vectors for those breaches – employees – are either unaware of, or unwilling to admit, their responsibility.
Carelessness and a lack of awareness are root causes of insider breaches
Asked to identify what they believe to be the leading causes of data breaches, IT leaders were most likely to say that employee carelessness through rushing and making mistakes was the reason (60%). A general lack of awareness was the second-most cited reason (44%), while 36% indicated that breaches were caused by a lack of training on the company’s security tools.
However, 30% believe that data is being leaked to harm the organisation and 28% say that employees leak data for financial gain.
From the employee perspective, of those who had accidentally shared data, almost half (48%) said they had been rushing, 30% blamed a high-pressure working environment and 29% said it happened because they were tired.
The most frequently cited employee error was accidentally sending data to the wrong person (45%), while 27% had been caught out by phishing emails. Concerningly, over one-third of employees (35%) were simply unaware that information should not be shared, proving that IT leaders are right to blame a lack of awareness and pointing to an urgent need for employee education around responsibilities for data protection.
Tony Pepper, CEO and co-founder, Egress, comments: “The results of the survey emphasise a growing disconnect between IT leaders and staff on data security, which ultimately puts everyone at risk. While IT leaders seem to expect employees to put data at risk – they’re not providing the tools and training required to stop the data breach from happening. Technology needs to be part of the solution. By implementing security solutions that are easy to use and work within the daily flow of how data is shared, combined with advanced AI that prevents data from being leaked, IT leaders can move from minimising data breaches to stopping them from happening in the first place.”
Confusion over data ownership and ethics
The Egress Insider Data Breach survey found confusion among employees over data ownership. 29% believed that the data they work on belongs to them. Moreover, 60% of employee respondents didn’t recognise that the organisation is the exclusive owner of company data, instead ascribing ownership to departments or individuals. This was underlined by the fact that, of those who admitted to sharing data intentionally, one in five (20%) said they did so because they felt it was theirs to share.
23% of employees who shared data intentionally did so when they took it with them to a new job, while 13% did so because they were upset with their organisation. However, the majority (55%) said they shared data insecurely because they hadn’t been given the tools necessary to share it safely.
The survey also found that attitudes towards data ownership vary between generations, with younger employees less aware of their responsibilities to protect company data.
Tony Pepper adds: “As the quantity of unstructured data and variety of ways to share it continue to grow exponentially, the number of insider breaches will keep rising unless the gulf between IT leaders and employee perceptions of data protection is closed. Employees don’t understand what constitutes acceptable behaviour around data sharing and are not confident that they have the tools to work effectively with sensitive information. The results of this research show that reducing the risk of insider breaches requires a multi-faceted approach combining user education, policies and technology to support users to work safely and responsibly with company data.”