Study Shows Companies Aren’t Protecting Their Data Internally

    Aug 24, 2016

    When it comes to high-value company documents, most organizations don’t have the technology in place to keep their employees from sharing them, according to a study by the Ponemon Institute.

    The study revealed that only 36% of the more than 600 IT security practitioners at large companies who responded said their organizations are able to restrict the sharing of confidential data with third parties. Just 27% said they could restrict sharing between employees.

    According to the survey results:

    • 56% of respondents said company insidersare the primary cause of data breaches.
    • 72% are not confidentthey can manage and control employee access to confidential files.
    • 68% do not know the location of confidential information.
    • 73% believe they lost confidential informationin the past 12 months.

    For example, 58% of companies said their employees use free, consumer-grade online file sharing applications, and 48% said there are situations when it is acceptable for employees to store confidential documents on their home computers or personal mobile devices.

    Remarkably, 68% said they don't even know where their confidential information is located.

    “A lot of people don't realize how much intellectual property or trade secrets is floating around the organization,” said Ron Arden, COO at data security vendor Fasoo, which sponsored the study.

    According to the Ponemon study, 56% of respondents said their company does not educate its employees about protecting confidential information, and only 44% said their company uses tools to prevent data loss.

    The study revealed that companies often don't even know when proprietary documents are stolen. Only 23% conducted an audit of their confidential documents, and 69% of those said they found security issues that needed to be resolved.

    Careless employees caused the losses in 56% of the cases, the study found. Lost or stolen devices were to blame 37% of the time, followed by third-party mistakes at 35%. Outside attackers were responsible for only 22% of breaches.

    According to Ponemon, the internal loss of company documents doesn’t garner headlines or even get reported the way more general breaches, such as the theft of credit card numbers, do. Companies are required by regulators to report the loss of personally identifiable information, but not when sensitive internal documents, such as financial reports or trade secrets, disappear.

    “When it's internal, that kind of data breach is not necessarily one where you would contact the FBI,” said Larry Ponemon, chairman and founder at Ponemon Institute. “We know that a lot of data breaches don't get disclosed.”

    ARMA International notes that the Generally Accepted Recordkeeping Principle® of Protection calls for identifying all threats to an organization’s information assets. While external hackers grab the headlines in information security, there is a lot that can be done to protect information from internal threats as well.

    The first challenge for many organizations, as pointed out in the survey, is identifying the information assets that are truly confidential and deserving of additional security This is a role appropriately taken up by the information professionals, who can apply tools that already exist in many organizations (e.g., inventories, data maps, taxonomies, access permissions) to this concern.

    The organization’s a training program for its records and information management policies and procedures is a logical place to add training on the proper handling of confidential and proprietary information. ARMA International says, “Protecting information assets is clearly a part of good information governance. The results of this survey should raise some eyebrows – and it should prompt an audit or review of every organization’s internal security arrangements.”

    The Ponemon/Fasoo study can be downloaded at this link.

    © 2017, ARMA International