Employees’ Security Hygiene Getting Worse as Ransomware Exposes Insider Negligence
At a time when ransomware and other attack techniques that exploit insider negligence become rampant, only 39 percent of end users believe they take all appropriate steps to protect company data accessed and used in the course of their jobs. This is a sharp decline from 56 percent in 2014, according to a new survey of more than 3,000 employees and IT practitioners across the U.S. and Europe. The report was conducted by the Ponemon Institute and sponsored by Varonis Systems, Inc.
Moreover, while 52 percent of IT respondents believe that policies against the misuse or unauthorized access to company data are being enforced and followed, only 35 percent of end user respondents say their organizations strictly enforce those policies.
The new release, "The Widening Gap Between End Users and IT," compares end-user practices and beliefs with those of their colleagues in IT security and IT generalist roles. This new analysis draws from the same data released by Varonis and the Ponemon InstituteAugust 9, 2016, in a report entitled "Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations," which found a sharp rise in the loss or theft of data, an increase in the percentage of employees with access to sensitive data, and the belief among participants that insider negligence is now the #1 concern for organizations trying to prevent these losses.
The survey results are derived from interviews conducted in April and May 2016, with 3,027 employees in the United States, United Kingdom, France, and Germany. Respondents included 1,371 end users and 1,656 IT and IT security professionals, in organizations ranging in size from dozens to tens of thousands of employees from a variety of industries including financial services, public sector, health care and life sciences, retail, industrial, and technology and software.
Among the key findings:
- Sixty-one percent of respondents who work in IT or security roles view the protection of critical company information as a very high or high priority. In contrast, only 38 percent of respondents who are considered end users of this data believe it is a very high or high priority.
- Asked about their organization's attitude on productivity vs. security, 38 percent of IT practitioners and 48 percent of end users say their organizations would accept more risk to the security of their corporate data in order to maintain productivity.
- Asked to agree or disagree that the protection of company data is a top priority for their CEO and other C-level executives, only 35 percent of end users agreed while 53 percent of IT professionals believe it is a top priority for senior executives.
- Asked for the most likely causes of the compromise of insider accounts, 50 percent of IT practitioners and 58 percent of end users say negligent insiders. "Insiders who are negligent" was by far the most frequent response for both IT and end users, more than twice as common as "external attackers" and more than three times as common as "malicious employees."
- End users are far more likely to attribute data breaches to insider mistakes than IT or security professionals. Seventy-three percent of end users say data breaches are very frequently or frequently due to insider mistakes, negligence or malice, while only 46 percent of IT respondents draw the same conclusions.
Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute, a leading research center dedicated to privacy, data protection and information security policy, observed, "At a time when one would expect general improvement in end-user hygiene due to increased awareness of cyberattacks and security breaches, this survey instead found an alarming decline in both practices and attitudes. If an organization's leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users' compliance with information security policies and procedures. Major differences between the IT function and end users about appropriate data access and usage practices make it harder to reduce security risks related to mobile devices, the cloud and document collaboration."