The data blame game: what to do when executives are playing fast and loose with core IP

93 per cent of CEOs store their work on a laptop or other personal device outside of official company storage, finds survey

Risky employee behaviour—particularly in the C-suite—is undermining security strategies at many organisations and driving them to find new ways to secure critical enterprise data.

Data security company Code42 recently polled more than 1,030 security and IT managers and another 600 CEOs and business leaders about their attitudes on data loss and recovery. The results revealed some startling internal disconnects that are jeopardising the ability of organisations to protect sensitive data.

Seventy-four per cent of business leaders, for instance, consider data and ideas to be their most precious assets. Yet, 93 per cent of chief executives store their work on a laptop or other personal device outside of official company storage, often fully aware of the risks involved. Fifty-nine per cent of CEOs also download unapproved software because they use it in their personal lives, or because it makes their work lives easier.

A couple of factors are fuelling this risky behaviour. One of them is a somewhat misplaced sense of data ownership. Half of the CEOs surveyed felt that the work and ideas they generated on the job personally belonged to them. Those who expressed this sentiment said they felt very protective of their work because of the effort they had put into creating it. The feeling of personal entitlement over data is so strong that 72 per cent of CEOs and 49 per cent of business leaders take IP with them when switching employers.

A lack of direct accountability for user actions is another factor. When asked to identify the group responsible for data security at their organisations, a plurality of IT leaders, business executives and CEOs pointed to information technology and security groups. Only 8 per cent of IT and security leaders felt that employees—the people actually creating and accessing a lot of the enterprise data that needs to be protected—were responsible for data security.

That disconnect is troubling especially considering the high number of data breaches caused by accidental and risky employee behaviour these days. A staggering 93 per cent of the breaches that Verizon investigated in 2017 involved users clicking on dangerous attachments and links, or falling for other phishing and social engineering scams.

Security and IT leaders are aware of what is going on—78 per cent of CISOs consider their biggest security risk to be employees who disregard company policies and practices. Yet security groups often appear unable to alleviate the situation because they have only limited visibility into the activity.

At a high percentage of organisations, valuable enterprise data assets exist only on endpoints such as desktops, laptops and mobile devices over which IT has little control. A troublingly high 20 per cent of the security and IT leaders in the Code42 survey said their companies did not have full visibility over corporate data as it moves through the organisation and outside traditional security perimeters.

The need for change

The survey results highlight the need for better data visibility and recovery capabilities at many companies. Forty-five per cent of IT and security leaders believe they would be able to more quickly detect and mitigate data threats if they had the ability to monitor data movement across the enterprise and on endpoint devices. Almost the same number—43 per cent—felt they would be better able to identify and prioritise data threats with the right visibility.

Prevention-only security strategies, including legacy data loss prevention solutions, are also clearly no longer enough. Six-in-ten CISOs say their organisations were breached in the last 18 months and 64 per cent expect one to happen in the next 12 months.

Worries over the consequences of data breaches are as high as the expectations for having one. Twenty-two per cent of IT and security leaders believe that losing all corporate data currently on endpoint devices would be business destroying.

Such concerns are, not surprisingly, driving considerable enterprise interest in post-breach response and recovery capabilities. Eight-in-ten CEOs believe their organisations will need to improve their data breach recovery capabilities in the next 12 months; 42 per cent believe that the ability to restore business continuity quickly after a breach is critical.

The broad takeaway from Code42's survey is that companies need to start rethinking current approaches to data security. One place to begin is examining the efficacy of traditional data loss prevention (DLP) software. Today's collaborative, IP-rich companies that are creating the newest products and services are at too much risk with inadequate prevention only security strategies. They need new approaches that focus on protection and help them recover from the consequences of inevitable risky employee behaviour.

Richard Agnew is vice president EMEA at Code42

IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.