In a clear demonstration that top executives defy data security best practices and company policy, 72 percent of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer.
93 percent of CEOs say they keep a copy of their work on a personal device, outside the relative safety of company servers or cloud applications. Yet, 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise, showing a disconnect between what executives say and do.
The findings, detailed in the recently released 2018 Data Exposure Report, raise concerns about the role of human emotions in risky data security practices. The findings also underline the need for a realistic data security strategy that not only addresses human behavior, but also takes both prevention and recovery into account. The survey, conducted by Sapio Research, includes feedback from nearly 1,700 security, IT and business leaders in the U.S., U.K. and Germany.
“It’s clear that even the best-intentioned data security policies are no match for human nature,” said Jadee Hanson, Code42’s chief information security officer. “Understanding how emotional forces drive risky behavior is a step in the right direction, as is recognizing ‘disconnects’ within the organization that create data security vulnerabilities. In a threat landscape that is getting increasingly complex, prevention-only strategies are no longer enough.”
Data is precious, but talk is cheap
While companies spend billions to prevent data loss, the research suggests that data remains vulnerable to employee transgressions — and the C-suite is among the worst offenders. In a clear demonstration of a disconnect between what top leaders say and what they do:
- Almost two-thirds of CEOs (63 percent) admit to clicking on a link they shouldn’t have or didn’t intend to, putting their corporate and potentially personal data at risk from malware.
- In addition, 59 percent of CEOs admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77 percent) believe their IT department would view this behavior as a security risk, but they do it anyway.
The risks of playing data hide-and-seek
In 2018, the CISO’s job is becoming significantly more challenging — even in organizations that have the best cybersecurity policies and tools in place. The risks boil down to a lack of data visibility:
- With the rise of flexible working practices and the ongoing digitization of information, 73 percent of security and IT leaders believe that some company data only exists on endpoints.
- As many as 71 percent of security and IT leaders and 70 percent of business leaders reveal that losing all corporate data held on endpoint devices would be business-destroying or seriously disruptive.
- While 80 percent of CISOs agree that “you cannot protect what you cannot see,” business leaders think otherwise. The majority of business leaders (82 percent) believe IT can protect data they cannot see, a glaring disconnect from reality.
Playing defense in an unpredictable threat landscape
- Among CISOs, 64 percent believe their company will have a breach in the next 12 months that will go public; 61 percent say their company has already experienced a breach in the last 18 months.
- The threat of cyberattack has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals; of those, 79 percent have paid a ransom.
These findings underscore the unnecessary use of resources to respond to cyberthreats in this way. With a comprehensive data security strategy that includes visibility, companies would have a better understanding of what happened and when. As a result, they would be positioned to recover from data loss incidents much faster.
Ounce of prevention no longer worth a pound of cure
Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape:
- The majority of CISOs (72 percent) and 80 percent of CEOs believe their companies have to improve their ability to recover from a breach in the next 12 months.
- Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention- and recovery-driven security.
“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC. “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”