Enterprise Management Associates (EMA) recently conducted a survey in partnership with Samsung Next, the Center for Democracy and Technology, and Virtru.
The survey explored attitudes toward data protection of IT executives and line of business leaders at North American enterprises. Through this research, EMA was able to identify several of the misconceptions, misplaced priorities, and contradictions that continue to leave organizations vulnerable to data breaches.
In this post, we’ll unpack and summarize some of the key findings. To download the entire report, click here.
This research stems from a survey of IT and line of business leaders in retail, manufacturing, healthcare, government, banking, education, professional services and other industries. To supplement this data, EMA Security Research Director David Monahan conducted in depth interviews with enterprise security executives.
You Have a Lot of Data to Protect
One of the more surprising findings was how much corporate data requires protection. Respondents reported that 72% of enterprise data needs protection — either for regulatory (40%) or corporate confidentiality reasons (32%).
72.6% of Enterprise Data Requires Protection
The #1 Source of Enterprise Data Leaks
Email is everywhere and remains the easiest way to share information. That’s why it’s the number 1 source of data leaks.
— Yet 96 percent reported that inappropriate data sharing takes place in their organization — either intentionally or by accident.
— And 56 percent acknowledged that inappropriate data sharing takes place often or very often.
In addition to this, 45 percent reported that they have personally been a victim of private business data shared inappropriately — and, of these, 84 percent report that the impact was either significant or very significant.
While Hacks Make Headlines, the Biggest Threat Comes From Inside
EMA survey respondents mistakenly identified external bad actors as the most significant threat to their business’s confidential information by a wide margin.
However, when asked to identify the actual source of leaks or breaches at their organization, respondents indicated that external actors only accounted for 39% of the leaks or breaches, which contradicts the belief that external bad actors are the most significant threat.
It turns out that insiders were responsible for a staggering 60% of all actual data leaks. This represents a combination of accidental sharing, phishing/social engineering, and malicious sharing by insiders.
Further, respondents noted a very high degree of inappropriate data sharing by their employees. This finding highlights a huge area of opportunity for enterprises who wish to improve their security posture.
The Encryption Prescription
Respondents nearly universally (97 percent) agree that encryption is important.
However, despite the overwhelming consensus that data-protecting encryption is a must-have in a modern business context, only 44% of survey respondents stated that their organization uses encryption to protect data sent in email or other communications, and only 69% use encryption to protect stored/saved data.
This is a particularly troubling given that email is the number one source of data leaks among the respondents.
Why the Disconnect? Complexity Kills.
Survey respondents spoke loud and clear about why enterprise data continues to leak. A combination of perceived complexity for administrators and shortcomings in ease of use for end users mean that data protection solutions are not widely adopted.
There is an undeniable presumption that traditional solutions are too hard to use, both for the technology professionals who need to deploy and maintain them and for the business people who need to use them. In fact, complexity outpaces cost by more than 3x as a barrier to adoption for security personnel. Even if the budget is there, legacy data protection solutions are clearly too cumbersome for overburdened security teams.
Beyond complexity, end user ease of use is an enormous barrier to adoption — coming in at 5x the next biggest concern.
Despite all of this, 93% of enterprises consider the ability to protect sensitive data when choosing a business partner or supplier for their business and 72% would pay more for a cloud service with superior data security.
Clearly a new approach is required.
A security architect at a leading international telecommunications company asserted that:
“We must entrench data controls more in normal business operations and communications. We cannot rely on perimeter controls or the sensibility of our employees to protect our information. We need to invest in technical solutions that thwart the traditional stereotypes of being easy to deploy and use, and do not add significant friction to work processes.”
Best Practice Recommendations:
– Go beyond regulatory requirements for data protection to ensure that intellectual property, financial information, and other corporate sensitive materials have appropriate protections.
– Don’t take systems or processes for granted. Ensure that you’re using the state of the art data protection approaches and test your defenses regularly.
– Focusing solely on the external threat leaves your data exposed. Ensure that your cyberdefenses protect from accidental loss and malicious sharing by employees.
– Ensure that employees are well trained in data protection. Set up automatic protections to ensure that sensitive information is secured before it’s shared. Use security tools that don’t get in the way of your users.
– Ensure that email protection is a first class citizen in your cyberdefenses. Because email is pervasive, choose technologies that are easy enough for all your users. Develop mechanisms for auditing employee sharing by email.
– Look for opportunities to deploy encryption to protect regulated or sensitive information in email and other applications.
– Your security posture is determined by the products your employees use, not just the ones you that you buy. Make ease-of-use a key buying criteria when evaluating any user-facing security technology.
– Eliminate complexity by seeking data protection products that are easy to deploy and manage. Shelfware does nothing to improve security posture.
– Virtually all experts agree that encryption is an important part of an enterprise data protection strategy. Look for solutions that can be widely deployed specifically for data leak protection.
– Make it a priority to communicate your data security posture to prospective customers and partners. It makes a difference in their willingness to do business with you.