What is endpoint data security about? Is it technology, behaviour and trust? Of course. But, in the end, it is all about money and risk! A data breach today can lead to a damaged reputation, loss of customers, serious financial penalties and the potential destruction of the business. As a security professional, you need to be on the front foot with your security strategy—and you need to understand that it is not a technology problem per se, but a systemic risk to your entire business.
After reviewing Code42’s 2016 Datastrophe Study, this is even clearer. The findings of the Study reveal how chief information officers (CIOs), chief information security officers (CISOs) and IT decision makers (ITDMs) view the porous enterprise—and it is very, very porous. It also showcases the views of employees who are, after all, the people holding most of their organisation’s data outside the perimeter, on endpoint devices—whether their employers know it or not.
Here are a few things from the research that struck me:
Poor security awareness remains the biggest risk
67% of knowledge workers do not believe their companies have clearly defined BYOD policies in place, yet 65% of ITDMs suggest they do. This should be an alarming statistic for those controlling enterprise security. If knowledge workers do not understand the vulnerabilities inherent in their use of mobile and endpoint devices, they will continue to unwittingly contribute to insider threat.
There’s a need to be proactive to get ahead of legislation
The threat to the enterprise does not stop at a lack of education and communication. The rapid adoption of cloud-based solutions, many of which are not subjected to legal and security scrutiny, means that firms are in danger of breaching data protection legislation. Take the new General Data Protection Regulation (GDPR) for example—firms are simply not prepared for the compliance issues this new regulation will pose. In fact, half of enterprise IT decision makers (50%) are concerned that the security measures they have in place today will not meet the new GDPR.
In addition, the threat landscape is constantly expanding and becoming more complicated; unencrypted data stored in the cloud or on endpoint devices is vulnerable to theft and even modification by criminal hackers. But there are steps that enterprise security teams can take to minimise risks. Data that is moving outside the secure corporate perimeter can be protected by utilising endpoint backup solutions, such as Code42 CrashPlan, that encrypt data at rest and in-transit, regardless of device type, thus limiting the opportunity for a cloud-based attack.
Trust is still an issue in light of media-facing breaches
There’s been a flood of news about data breaches in the media that have rocked consumer trust in a number of brands’ ability to protect their data—take TalkTalk as a recent example. It’s therefore not too surprising to hear that a quarter (25%) of knowledge workers do not trust their IT teams/employers with their personal data. But it is very concerning when you hear that at least a third of (36%) of knowledge workers believe their company could face a data breach that will go public in the next 12 months. Trust can only be built through education, communication and by ensuring that your business has the right data protection solutions in place.
The 2016 Datastrophe Study shows that there is work to be done. Where modern knowledge workers and IT security professionals work together the risk of a data breach from a lost or stolen device can be dramatically reduced. Yet, you have to keep in mind that rather than relying on traditional (and often un-relatable) training that does little to increase awareness, your organisations should invest in story-based material with which users can identify and engage. Once knowledge workers understand the nature of the threats and how specific behaviours can increase the likelihood of a breach, they will happily adopt an alternative approach that works—and you can avoid a datastrophe!
You can hear more about my views by watching the Datastrophe video, which I was happy to participate in.