Exonar, has today published research revealing that 94 percent of IT pros have experienced a data breach, and an overwhelming majority (79 percent) are worried that their current organization could be next.
The survey of 500 IT professionals found that when it comes to cybersecurity, employee data breaches are seen as the biggest risk to an organization. Two fifths (40 percent) of respondents named employee data breaches as the biggest overall threat to information security in the coming year, while a fifth (21 percent) said external attacks from cybercriminals are the biggest risk to information security, and 20 per cent believe it is ransomware/malware attacks.
When looking at what causes employee data breaches, more than half (51 percent) of IT professionals say these most commonly occur through external email services such as Gmail and Outlook. However, 42 percent say employee data breaches have happened through collaboration tools such as Slack and Dropbox, and 41 per cent through SMS/messaging services. Just 6 percent of those surveyed said they had never knowingly experienced a data breach.
Despite data breaches being front of mind for IT teams, 95 percent of IT professionals say it’s a challenge to get visibility across their organizations’ data estate, and only 39 percent of organizations are taking active steps to gain visibility of their data.
“In simply performing their jobs, employees can unintentionally be the source of a data breach – by leaving high-risk information unprotected in the wrong place. It’s the responsibility of the company to provide the right methodology, technology, and processes that enable the workforce to continue to operate without burdening teams with undue process,” said Danny Reeves, CEO, Exonar.
“These days, every company is a data company, and large organizations often have thousands of systems and storage facilities. Unless companies are actively taking steps to know and understand their data, they’re leaving themselves vulnerable.”
Everyone’s aware of how challenging maintaining a strong cybersecurity posture is these days. There’s no longer a perimeter to protect and with remote working becoming the norm since the advent of COVID-19 and BYOD stretching digital boundaries to their very limits, good security is significantly tougher to achieve.
When evaluating cyber security risks to the organization, we’re typically looking at users, devices and IoT devices as possible ways into the infrastructure. And yet it’s not these people and things attackers are really interested in – it’s the data.
While data that’s stored in locked-down databases, such as CRM and storage systems, is ordered, structured and easy to secure, 92% of the world’s data is unstructured, or dark data.
Our own research suggests that a typical organization’s unstructured information contains:
- 42% confidential information
- 1% sensitive personal information
- 9% personally identifiable information
Think about all the emails that are sent and the documents that teams create every day, which aren’t maintained in organized databases? And the file-shares such as SharePoint and OneDrive, the company intranet and personal folders?
Keeping on top of this unstructured data is a huge challenge. Our research revealed that 95% of IT professionals say it’s a challenge to get visibility across their organizations’ data estate, yet only 39% of organizations are taking active steps to gain visibility of their data.
But fail to do so and over time dark data becomes forgotten and vulnerable to insider threats and external breaches. In fact, our research also showed that data breaches by employees are seen as the biggest risk to an organization – with 40% of respondents naming internal breaches as the biggest threat in the coming year.
So how can you enhance information security?
Change the focus
It’s a fine balancing act. On one side, organizations must lock data down to secure it and protect it from harm. On the other, they need to open up the business to provide greater access to the information people need to do their jobs. The answer lies in the data.
The fact is, no business can protect itself from an insider threat or external data breach until they have all of their data – both structured and unstructured – under control. The first step has to be to discover what’s there, where it’s stored and whether there’s sensitive data within it.
These insights allow the organization to determine how that data can be protected. Maybe nothing has to be done, because appropriate controls are already in place. Or maybe the data has to be moved or deleted.
By gaining visibility, a business can prioritize its risks, take action to protect the data at the source and, perhaps, even reveal hidden value in it.
Wrap the right methodology, technology, and processes around the data
By employing the right methodology, technology and processes, an organization can secure its data while enabling its workforce to continue to operate without having to follow undue procedure to access it when they need it to do their jobs.
The journey towards effective information security puts data at the heart of the strategy, and follows five key steps:
1. Documented data policies and processes: Set out the intentions for how the organization will deal with its data to lay the bedrock for successful data security and governance.
2. Employee awareness, training and culture: Data security and governance should be so ingrained into people’s thinking that it sits front and center in their minds every day.
3. Information discovery and classification: Identify what data lies within the estate so appropriate actions can be taken to secure it, extract value from it and manage its complexity.
4. Adding enforcement technologies: Document encryption, data loss prevention, access control, data remediation, content management – taking a blended approach to enforcement means opening up APIs and integrating systems.
5. Operational process and record keeping: KPIs enable the business to monitor and better understand its data to identify areas for continuous improvement.
Data is a business’s most valuable and most risky asset, but to secure it you must know what you’ve got, so it’s imperative to be able to find and reveal both structured and unstructured data across the company’s assets.
Once a business knows its data, it can protect and power the organization and the people it serves by both mitigating the risks in the data and using it in positive and proactive ways to drive the business forward.