Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

sensitive data

How Cyber Security Literate is the board?

Tripwire have announced the results of a study on the cyber literacy challenges faced by organisations.

The study evaluated the attitudes of executives as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations.

Despite the increasing number of successful cyberattacks against U.K. organisations, the study revealed that 54% of C-level executives at organisations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is both cybersecurity literate and actively engaged in routine security. IT professionals from the same organisations are less confident in their boards cybersecurity knowledge, with 26% stating their boards only steps in when there is a serious incident.

While the results of the study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,”29% of IT professionals either answered “no” or “not sure.” However, when C-level executives were asked the same question, 84% answered “yes.”.

There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Dwayne Melancon, chief technology officer for Tripwire. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t fully understand the business impact of these risks

Other key findings include:

  • 28% of IT professionals “don’t have visibility” into what the board is told about cybersecurity
  • 47% were “not concerned” about their boards knowledge of cybersecurity.
  • In the event of a cyberattack, respondents would be most concerned about 62% customer data, 50% damage to brand and reputation and 40% financial damage or stock price.
  • 35% of respondents agreed that a security breach at their own organization had the biggest impact on their boards’ cybersecurity awareness, while other respondents felt that Heartbleed (19%) had a bigger impact than the Target or Sony breach and the Snowden leaks (17% and 8%, respectively).

Most organisations are not struggling with communication tools said Melancon. They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk

Advertisements

How Employees are Putting Your Intellectual Property at Risk

“What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk” is a white paper produced by the Ponemon Institute on behalf of Symantec.

The paper reviews the way employees perceive corporate data and their mindset and motivations for copying data and Intellectual Property

Key Findings

  • Employees are moving IP outside the company in all directions
  • When employees change jobs, sensitive business documents often travel with them
  • Employees are not aware they are putting themselves and their companies at risk
  • They attribute ownership of IP to the person who created it
  • Organizations are failing to create a culture of security

Impact on Organizations

According to Ponemon Institute, employees are moving IP outside the company in all directions

  • Over half admit to emailing business documents from their workplace to their personal email accounts
  • 41% say they do it at least once a week
  • 44% also say they download IP to their personally owned tablets or smartphones, leaving confidential information even more vulnerable as it leaves corporate-owned  devices

The data loss continues through employees sharing confidential information in the cloud

  • 37% use file-sharing apps (such as Dropbox or Google Docs) without permission from their employer
  • Worse, the sensitive data is rarely cleaned up; the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it.

When employees change jobs, sensitive business documents often travel with them. In most cases, the employee is not a malicious insider, but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer

  • Half of the survey respondents say they have taken information
  • 40% say they will use it in their new jobs

This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.

Understanding Employee Attitudes about IP Theft

The attitudes that emerged from the survey suggest that employees are not aware that they are putting themselves and their employers at risk when they freely share information across multiple media. Most employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong. A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company. Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data.

To shed further insight, over half do not believe that using competitive data taken from a previous employer is a crime. Employees attribute ownership of IP to the person who created it. When given the scenario of a software developer who re-uses source code that he or she created for another company, 42% do not believe it is wrong and that the a person should have ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today’s knowledge workers as unaware that intellectual property belongs to the organization.

Recommendations from the paper

Given these findings, what can companies do to minimize risk? We suggest that companies take a multi-pronged approach:

  • Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical, companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
  • Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
  • Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed. Implement a data protection policy that monitors inappropriate access/use of IP and notifies employees of violations, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: