Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Confidentiality

Survey reveals companies are taking risks whilst outsourcing consumer data

Experian Data Breach Resolution and the Ponemon Institute survey results identify opportunity for improved data oversight.

The study, “Securing Outsourced Consumer Data”, reveals that many organizations (46%) do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.

The survey of almost 750 individuals in organizations that transfer consumer data to third-party vendors. The survey’s aim was to increase understanding of data breach frequency when consumer data is outsourced, to determine what steps are taken to ensure vendors’ data stewardship, and to evaluate privacy and security practices between companies and outsource vendors.

Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.

When sharing sensitive and confidential consumer information, 49% said that they do not monitor or are unsure whether their organization monitors vendor security and privacy practices.

Additional key findings from the survey include:

  • 56% of respondents acknowledged incidents when their organizations did not act on a vendor’s data breach
  • Outsourcing consumer information demands oversight survey results indicate that organizations that transfer or share consumer data with vendors experience data breaches more often than not
  • 65% of respondents said their organization had a data breach involving the loss or theft of their organization’s information
  • 64% of respondents reported their organization has experienced more than one data breach
  • Training is essential to protect against data breaches. Causes for data breaches can be reduced significantly through enforcement of policies and effective training
  • 45% of respondents reported negligence as the root cause of third-party data breaches
  • 40% of data breaches were the result of lost or stolen devices
  • Security and control procedures need improvement
  • 56% said their organization learned about a data breach accidentally
  • Only 27% said the organization’s security and control procedures uncovered the incident
  • 23% said the vendor’s security and control procedures alerted the organization to a breach

It is imperative that businesses and organizations place a priority on evaluating a vendor’s ability to secure sensitive data said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

.

Advertisements

How Employees are Putting Your Intellectual Property at Risk

“What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk” is a white paper produced by the Ponemon Institute on behalf of Symantec.

The paper reviews the way employees perceive corporate data and their mindset and motivations for copying data and Intellectual Property

Key Findings

  • Employees are moving IP outside the company in all directions
  • When employees change jobs, sensitive business documents often travel with them
  • Employees are not aware they are putting themselves and their companies at risk
  • They attribute ownership of IP to the person who created it
  • Organizations are failing to create a culture of security

Impact on Organizations

According to Ponemon Institute, employees are moving IP outside the company in all directions

  • Over half admit to emailing business documents from their workplace to their personal email accounts
  • 41% say they do it at least once a week
  • 44% also say they download IP to their personally owned tablets or smartphones, leaving confidential information even more vulnerable as it leaves corporate-owned  devices

The data loss continues through employees sharing confidential information in the cloud

  • 37% use file-sharing apps (such as Dropbox or Google Docs) without permission from their employer
  • Worse, the sensitive data is rarely cleaned up; the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it.

When employees change jobs, sensitive business documents often travel with them. In most cases, the employee is not a malicious insider, but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer

  • Half of the survey respondents say they have taken information
  • 40% say they will use it in their new jobs

This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.

Understanding Employee Attitudes about IP Theft

The attitudes that emerged from the survey suggest that employees are not aware that they are putting themselves and their employers at risk when they freely share information across multiple media. Most employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong. A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company. Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data.

To shed further insight, over half do not believe that using competitive data taken from a previous employer is a crime. Employees attribute ownership of IP to the person who created it. When given the scenario of a software developer who re-uses source code that he or she created for another company, 42% do not believe it is wrong and that the a person should have ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today’s knowledge workers as unaware that intellectual property belongs to the organization.

Recommendations from the paper

Given these findings, what can companies do to minimize risk? We suggest that companies take a multi-pronged approach:

  • Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical, companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
  • Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
  • Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed. Implement a data protection policy that monitors inappropriate access/use of IP and notifies employees of violations, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: