A new report from Ponemon Institute for Varonis (Corporate Data: A Protected Asset or a Ticking Time Bomb?) reveals a widespread lack of oversight and control over employee access to confidential, sensitive information, such as “customer lists and contact information, intellectual property, and private information about customers, employees and business partners.”
The study surveyed 2,276 employees in American, British, German and French organisations, of whom 1,166 were “IT professionals” and 1,110 were “end users” who worked in other areas, such as “sales, finance and accounting, corporate IT, and business operations”.
The report found a significant difference of opinion between the two groups on information security matters, suggesting that communication between IT and the rest of the business remains poor.
- 71% say they have access to company data that they should not be able to see.
- 54% say they access such data frequently or very frequently.
- 47% say the organisation doesn’t enforce its policies relating to the misuse of or unauthorised access to company data.
- 45% say they are more careful with company data than their supervisors or managers.
- Only 22% say their organisation is able to tell them what happened to lost data, files or emails.
- 73% believe the increase in company data (such as emails, presentations, multimedia files) has affected their ability to find and access data.
- Just 22% believe their organisations place “a very high priority” on data protection.
- 55% say their company’s efforts to tighten security have impacted their productivity.
- 76% say there are times when it is acceptable to transfer work documents to their personal computer/tablet/smartphone/public Cloud. Only 13% of IT practitioners agree.
- 80% say their organisation doesn’t enforce a strict least-privilege data model.
- 34% say they don’t enforce any least-privilege data model.
- 51% believe their CEO and other C-level executives consider data protection a high priority.
- 73% say their department takes data protection “very seriously”.
- Only 47% believe company employees take the necessary steps to secure company data.
Both groups seem to agree on one thing: 64% of end users and 59% of IT professionals believe that insiders are “unknowingly the most likely to be the cause of leakage of company data.”
IT practitioners seem to have spent years concentrating on perimeter security without protecting the data itself, or communicating the necessity of protecting data with other company employees, with the result that cyber attacks and data breaches are a greater problem than ever. IT professionals recognise that employees are the weakest part of the security chain, and yet there seems to be no success in addressing this problem, whether through better staff training, greater communication, or a robust system to address enterprise-wide information security.
An information security management system (ISMS), as set out in the international standard for information security management, ISO/IEC 27001 answers all of these problems. Following international best practice, organisations that implement an ISO 27001-compliant ISMS can create and maintain a security system that covers people, processes and technology.
IT Governance has created four ISO 27001 implementation packages to suit the needs of any organisation, whatever its size, sector, location, budget, or preferred project approach.