Critical data at risk via employees with access to sensitive files
Written by staff reporter
As attention shifts from sophisticated external attacks to the role that internal vulnerability and negligence often play, a new survey conducted by the Ponemon Institute suggests that most organisations are having difficulty balancing the need for improved security with employee productivity demands.
Employees with needlessly excessive data access privileges represent a growing risk for organisations due to both accidental and conscious exposure of sensitive or critical data.
Larry Ponemon, chairman of The Ponemon Institute observed, “The sheer growth of both digital information and our dependence on it can overwhelm organisations’ attempts to protect their sensitive data. This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences. ”
Both IT practitioners and end users are witnessing a lack of control over employee access and use of company data, and the two groups generally concur that their organisations would overlook security risks before they would sacrifice productivity.
Only 22% of employees surveyed believe their organisations as a whole place a very high priority on the protection of company data, and less than half of employees believe their organisations strictly enforce security policies related to use of and access to company data. Further, the proliferation of business data is already negatively impacting productivity − making it harder for employees to find data they truly need and should be able to access, and to share appropriate data with customers, vendors and business partners.
Critical data access: Key findings on control and oversight
•71% of end users say that they have access to company data they should not be able to see
•54% of those end users who have access they shouldn’t characterise that access as frequent
•80% say their organisations don't enforce a strict least-privilege (or need-to-know) data model
•Only 22% of employees say their organisation is able to tell them what happened to lost data, files or emails
•48% of IT practitioners say they either permit end users to use public cloud file sync services or permission is not required
•73% of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data
•43% of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs, and only 22% report that access is typically granted within minutes or hours
•60% of IT practitioners say it is very difficult or difficult for employees to search and find company data or files they or their co-workers have created that isn’t stored on their own computers
•68% of end users say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors
The survey was derived from interviews conducted in October 2014 with 2,276 employees in the United States, United Kingdom, France, and Germany. Respondents included 1,166 IT practitioners and 1,110 end users in organisations ranging in size from dozens to tens of thousands of employees, in a variety of industries including financial services, public sector, health and pharmaceutical, retail, industrial, and technology and software.