A new study released in June reveals the majority of companies don’t have the proper policies, education, and tools in place to protect sensitive information from being disclosed to insiders. The study, conducted by the Ponemon Institute called Risky Business: How Company Insiders put High Value Information at Risk, concludes there is a large amount of high-value information at risk, and there is a great challenge in finding and stopping leaks of this information.
Employees have always been a big risk factor for companies—this isn’t new. A U.K. study earlier this year found that 50% of the worst breaches were caused by human error. The “Risky Business” study agrees with this. Over half of respondents said a breach was caused by a negligent employee, and almost 40% said lost/stolen devices were the cause of the breach.
One of the missing links is proper education and policies. About 56% of companies surveyed said their organization doesn’t educate employees on protecting documents or files containing confidential information. While it is easy to blame careless employees, the burden should be placed on the enterprise. Organizations have a responsibility to educate everyone about the importance of protecting valuable information. An uninformed employee may not know the critical nature of company information or the implications if the information is disclosed.
Unsurprising, but still disappointing, lack of encryption is one way sensitive information is getting into the wrong hands, according to the study. Almost half of employees in the represented organizations share or transfer confidential documents with other employees. This sharing is occurring over unencrypted email channels 69% of the time, and the other 58% of the time using a cloud-based file-sharing tool. Half of survey respondents said their company lacks a policy about acceptable file sharing habits.
There are many challenges for companies who want the utmost security for confidential documents. One main sore spot may be that no one in the organization has the designated job to protect information, educate employees, implement protocols, and review practices. In fact, 37% of respondents said their company does not have someone in charge of this.
Another challenge is the amount of proprietary information “floating around” the company, and not many people know the precise location of certain documents.
Protecting sensitive data is always going to be a challenge as attackers become more sophisticated. Organizations must put up a fight in order to protect sensitive documents.
What we learn from this study is that companies should give someone in their organization the responsibility of overseeing confidential information. This person needs to establish protocols for document sharing—ensuring documents are encrypted during transfer—and then educate employees about policies and procedures.