Corporate Data: A Protected Asset or a Ticking Time Bomb? is a Ponemon Institute study sponsored by Varonis, surveying a total of 2,276 employees in US and European organizations (United Kingdom, Germany and France), including 1,110 individuals (hereafter referred to as end users) who work in such areas as sales, finance and accounting, corporate IT, and business operations, and 1,166 individuals who work in IT and IT security (hereafter referred to as IT practitioners).
In the context of this research, both IT practitioners and end users are witnessing a lack of control over their organizations’ data and access to it, and the two groups generally concur that their organizations would overlook security risks before they would sacrifice productivity. Employees are often left with needlessly excessive data access privileges and loose data-sharing policies.
Compounding the risk, organizations are unable to determine what happened to data when it goes missing, indicating a lack of monitoring and further absence of controls.
This presents a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data. Efforts to address these risks will need to overcome employee perceptions, as they believe data protection is not considered a high priority by senior leadership.
Following are research findings that illustrate the growing risks and challenges to productivity that data growth and a lack of internal controls currently present for organizations of all sizes:
End users believe they have access to sensitive data they should not be able to see, and more than half say that access is frequent or very frequent. 71% of end users say that they have access to company data they should not be able to see. 54% characterize that access as frequent or very frequent.
End users believe data protection oversight and controls are weak. 47% of end users say the organization does not strictly enforce its policies against the misuse or unauthorized access to company data and 45% say they are more careful with company data than their supervisors or managers. Furthermore, only 22% of employees say their organization is able to tell them what happened to lost data, files or emails.
IT agrees. Most IT practitioners surveyed state that their companies do not enforce a strict least-privilege (or need-to-know) data policy. Four in five IT practitioners (80%) say their organizations don’t enforce a strict least-privilege data model. 34% say they don’t enforce any least-privilege data model.
End users and IT agree that data growth is hindering productivity more every day. 73% of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data.
Uncertainty about whether senior executives view data protection as a priority affects. compliance with security policies. Only 22% of end users believe their organizations overall place a very high priority on data protection. About half (51%) of IT practitioners believe their CEO and other C-level executives consider data protection a high priority.
IT practitioners say end users are likely to put critical data at risk. 73% of IT practitioners say their department takes data protection very seriously. However, only 47% believe employees in their company take the necessary steps to make sure confidential data is secure. Thus, IT departments know end user security risks exist but think they are limited in what they can do about it.
End users think it is OK to transfer confidential documents to potentially unsecure devices. 66% of end users say there are times when it is acceptable to transfer work documents to their personal computer, table, smart phone and even the public cloud. Only 13% of IT practitioners agree.
End users and IT practitioners do not think their organization would accept diminished productivity to prevent the risk to critical data. 55% of end users say their company’s efforts to tighten security have a major impact on their productivity. Only 27% of IT practitioners say their organization would accept diminished productivity to prevent the loss or theft of critical data.
End users and IT agree that employees are unknowingly the most likely to be responsible for the leakage of company data. 64% of end users and 59% of IT practitioners believe that insiders are unknowingly the most likely to be the cause of leakage of company data. And only 46% of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.