30 Aug 2016
Despite the rise of social engineering-based scourges like ransomware, just 39% of workers believe they take all appropriate steps to protect company data accessed and used in the course of their jobs.
This is a sharp decline in security hygiene, down from 56% in 2014, according to a survey from the Ponemon Institute.
Moreover, while 52% of IT respondents believe that policies against the misuse or unauthorized access to company data are being enforced and followed, only 35% of end-user respondents say their organizations strictly enforce those policies.
Yaki Faitelson, co-founder and CEO of survey sponsor Varonis Systems, noted, “Human error will always be a weak link in security. Insiders compromise security maliciously or accidentally and outside attackers continue to hijack the credentials and systems of employees, administrators, contractors, and executives. The only way to stem this tide is to implement controls on data access, monitor all activity and implement the most advanced user behavior analytics and alerting technologies throughout the organization.”
A previous report from Ponemon found a sharp rise in the loss or theft of data, an increase in the percentage of employees with access to sensitive data, and the belief among participants that insider negligence is now the No. 1 concern for organizations trying to prevent these losses.
In the new survey, when asked about the most likely causes of the compromise of insider accounts, 50% of IT practitioners and 58% of end users say negligent insiders. “Insiders who are negligent” was by far the most frequent response for both IT and end users, more than twice as common as “external attackers” and more than three times as common as “malicious employees.”
End users are also far more likely to attribute data breaches to insider mistakes than IT or security professionals. Seventy-three percent of end users say data breaches are very frequently or frequently due to insider mistakes, negligence or malice, while only 46% of IT respondents draw the same conclusions.
Yet in an indication of where logical thinking breaks down when it comes to security attitudes, the new data also reveals that this awareness isn’t translating into action. About 61% of respondents who work in IT or security roles view the protection of critical company information as a very high or high priority—but just 38% of respondents who are considered end users of this data believe the same. When asked to agree or disagree that the protection of company data is a top priority for their CEO and other C-level executives, only 35% of end users agreed, while 53% of IT professionals believe it is a top priority for senior executives.
Asked about their organization’s attitude on productivity vs. security, 38% of IT practitioners and 48% of end users say their organizations would accept more risk to the security of their corporate data in order to maintain productivity.
"At a time when one would expect general improvement in end-user hygiene due to increased awareness of cyberattacks and security breaches, this survey instead found an alarming decline in both practices and attitudes,” said Larry Ponemon, chairman and founder of Ponemon Institute. “If an organization’s leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users’ compliance with information security policies and procedures. Major differences between the IT function and end users about appropriate data access and usage practices make it harder to reduce security risks related to mobile devices, the cloud and document collaboration.”