According to the results of our 2018 Data Exposure Report, the answer is likely “Yes.” Some of the most surprising insights revealed by the report, based on surveys of nearly 1,700 security, IT and business leaders, have to do with the impact of human emotions and behavior on data security—particularly across the C-suite.
CISOs and IT leaders probably won’t be surprised to learn that C-suite work habits don’t necessarily adhere to data security policies—and CEOs are among the worst offenders. Our report reveals that their risky behavior is due to old-fashioned work habits, convenience, good intentions and even a sense of ownership over the work.
Understanding the motivations behind problematic behavior is a good start toward adopting more effective data security strategies. But the real takeaway is this: strong policies are no match for human behavior. True data protection allows for the reality of human behavior by providing backup and restore capabilities as well as breach prevention.
Not practicing what they preach
The report reveals that 78 percent of CEOs believe that ideas, in the form of intellectual property (IP), are one of the most precious assets within their organizations. However, 93 percent of CEOs admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. And the majority of security and IT leaders (86 percent) believe the extent to which employees save files outside of corporate storage poses a serious risk to the organization.
Despite knowing that it’s risky, and being charged with enforcing their own company’s policies, C-suiters continue to put precious company data at risk. What gives? According to the survey, an emotional connection to their work is one of the culprits.
The ownership dilemma
The survey finds that 65 percent of business leaders have a strong sense of ownership of their work. More than half (53 percent) say this is because they impart a bit of themselves into what they create.
This should be good, right? Not necessarily. Counterintuitive as it seems, the very employees who feel a sense of personal ownership over their work often engage in risky behavior patterns at the expense of corporate policy.
Nearly three-quarters of CEOs (72 percent) and 49 percent of business leaders admit to bringing IP with them from a previous employer—highlighting that the very people who should be the most responsible for protecting an organization’s most precious data are not playing by the rules.
Working methods and personal preference
Just over half of CEOs (59 percent) admit to downloading software knowing it may not be approved by IT. Seventy-seven percent of business leaders believe the IT team would consider this a risk, yet they do it anyway.
The risks from the C-Suite don’t stop at losing data. Most of us have experienced that “uh-oh” moment when we’ve inadvertently clicked on an email link we shouldn’t have. Almost two-third of CEOs (63 percent) and exactly half of all business leaders have admitted to doing the same—either by accident or oversight.
No wonder 78 percent of CISOs believe that the biggest risk to organizations is people trying to do their jobs the way they want—in a way that is most effective for them—with a disregard for rules.
Recovery must be part of the solution
The results make clear that strong data policies are no match for the reality of human behavior. After all, if your senior leaders aren’t following the rules, how you can expect the broader employee base to follow your policies?
Data security strategies must therefore include recovery solutions in addition to breach prevention tactics. That’s because no matter how strong your security perimeter is, an employee can easily open the gate to data risk and cyber threats.
It’s better to have the ability to quickly and easily recover when that happens rather than hope everyone follows the rules—because the reality is that they aren’t.
Watch for the next blog post in our Data Exposure series. It will delve into the disconnect between business leaders and security/IT staff over how IT goes about its job protecting data. To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.
In case you missed part one —Data Exposure Report: A Must-Read for Security Decision-Makers.
The Code42 2018 Data Exposure Report