We’re thrilled to announce the release of our Data Exposure Report. It reveals some startling truths about how human behavior drives data security vulnerabilities, despite the billions companies spend on data loss prevention.
IT leaders and CISOs will find some of their suspicions validated by the findings, particularly that CEOs are among the worst offenders at violating data security policy. But many of the disconnects we found between current data security strategies and the reality of the threat landscape will be surprising and sobering:
- Almost three-quarters (72 percent) of CEOs admit they’ve taken valuable intellectual property from a former employer. Yet 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise.
- As many as 80 percent of CISOs agree that “you cannot protect what you cannot see.” Business leaders, however, have a different perspective. Among business leaders, 82 percent believe that IT can somehow protect data they cannot see.
- Among CISOs, 64 percent believe their company will have a breach in the next 12 months that will go public, which has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals.
The report, based on surveys of nearly 1,700 security, IT and business leaders from the U.S., U.K. and Germany, provides a comprehensive view of attitudes toward data security in this age of rapidly evolving cyber threats. This is the first in a series of four blog posts. Each post will delve into one of these key areas:
- Emotional drivers of employee behavior that can put a company’s data at risk.
- The importance of data visibility for security to do its job of safeguarding company data.
- How to recover from a data breach while maintaining continuity.
Potentially most valuable for IT and security leaders, this report provides insights on ways to build business continuity and resilience in the face of an increasingly complex threat landscape. The upshot: resilience comes from companies evolving their data security strategies to include recovery from data breaches as well as prevention of those breaches in the first place.
“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC. “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”
Data is precious, but talk is cheap
The report reveals that, while most CEOs say their IP is one of their most valuable assets, they are the very people who put IP at risk through data practices they admittedly know are unsafe. Some key findings:
- Among CEOs, 59 percent admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77 percent) believe their IT department would view this behavior as a security risk, but disregard the warning.
- The majority of CEOs (93 percent) admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. More than 68 percent of CEOs think there’s risk in keeping data solely outside of company storage, but they do so anyway.
So even though they know it’s risky—and they may have even lost work as a result of it —C-suiters continue to put their companies at risk by defying company policies and data security best practices.
The risks of playing data hide-and-seek
In this digital age, more flexible workplaces result in employees saving data on their endpoints, making it increasingly difficult for security departments to see data to protect it during a breach. Some key findings from the report:
- Nearly three-quarters (73 percent) of security and IT leaders believe that some company data only exists on endpoints, such as desktops or laptops.
- As many as 71 percent of security and IT leaders and 70 percent of business leaders believe that losing all corporate data held on the endpoint devices would be business-destroying or seriously disruptive.
- In addition, 86 percent of security and IT leaders believe employees saving files outside of corporate storage poses a serious risk to the organization.
While clear and strong company policy about data security is critical, clearly it’s no match for the reality of human behavior. Companies must resign themselves to employees working and saving precious IP on their endpoints—not to mention engaging in other risky behavior that could result in a data loss incident.
Playing defense in an unpredictable threat landscape
In the evolving threat landscape, companies that experience a ransomware attack are increasingly faced with the untenable choice of paying off cybercriminals or losing precious data. Some key findings from the report:
- Among CISOs, 61 percent say their company has been breached in the past 18 months.
- The threat of cyberattack has led 73 percent to stockpile cryptocurrency to pay cybercriminals; of those, 79 percent have paid a ransom.
The most sobering part about these particular findings is the unnecessary use of resources to react to cyberthreats in this way. If a data loss event strikes, a comprehensive data security strategy that includes visibility provides companies with the ability to understand what happened and when. As a result, they are positioned to recover much faster.
An ounce of prevention no longer worth a pound of cure
Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape.
- Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.
To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.
Read Part Two of our blog series on the Code42 Data Exposure Report, “Is Your C-Suite Putting Your Data Security at Risk,” to learn how emotional drivers contribute to poor data security habits among employees.
The Code42 2018 Data Exposure Report