In an evolving threat landscape, the report revealed that 73% of CISOs companies resigned to data breaches are stockpiling cryptocurrency to pay off ransoms; and the vast majority (79%) of stockpilers have actually paid a ransom.
In fact, among CISOs, 64% believe their company will have a breach in the next 12 months that will go public and 61% say their company has already experienced a breach in the last 18 months.
Acquiescing to cybercriminals, however, isn’t necessary. If companies had comprehensive data visibility and recovery applications that include endpoint data, they could simply restore their data, turning a security incident into an inconvenience rather than a crisis.
The findings, detailed in the 2018 Data Exposure Report, raise concerns about the role of human emotions in risky data security practices. The findings also underline the need for a realistic data security strategy that not only addresses human behaviour, but also takes both prevention and recovery into account. The report includes feedback from nearly 1,700 security, IT and business leaders in the U.S., U.K. and Germany. It was commissioned by Code42, a leading provider of information security solutions, and conducted by Sapio Research.
Defy data security best practices and company policy
In a clear demonstration that top executives defy data security best practices and company policy, 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer. Additionally, 93% of CEOs say they keep a copy of their work on a personal device, outside the relative safety of company servers or cloud applications. Yet, 78% of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise, showing a disconnect between what executives say and do.
Jadee Hanson, chief information security officer, Code42: “It’s clear that even the best-intentioned data security policies are no match for human nature,”
“Understanding how emotional forces drive risky behaviour is a step in the right direction, as is recognising ‘disconnects’ within the organisation that create data security vulnerabilities. In a threat landscape that is getting increasingly complex, prevention-only strategies are no longer enough.”
Ounce of prevention no longer worth a pound of cure
Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today’s complex threat landscape. The majority of CISOs (72%) and 80% of CEOs believe their companies have to improve their ability to recover from a breach in the next 12 months. And Three-quarters of CISOs (75%) and 74% of CEOs believe their security strategies need to change from prevention-only to prevention- and recovery-driven security.
“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy,” said Rob Westervelt, research director for the security products group at IDC. “To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organisation against both internal and external threats.”
Data is precious, but talk is cheap
While companies spend billions to prevent data loss, the research suggests that data remains vulnerable to employee transgressions — and the C-suite is among the worst offenders. In a clear demonstration of a disconnect between what top leaders say and what they do with almost two-thirds of CEOs (63%) admit to clicking on a link they shouldn’t have or didn’t intend to, putting their corporate and potentially personal data at risk from malware. In addition, 59% of CEOs admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77%) believe their IT department would view this behaviour as a security risk, but they do it anyway.
The risks of playing data hide-and-seek
In 2018, the CISO’s job is becoming significantly more challenging — even in organisations that have the best cyber security policies and tools in place. The risks boil down to a lack of data visibility.
With the rise of flexible working practices and the ongoing digitisation of information, 73% of security and IT leaders believe that some company data only exists on endpoints.
As many as 71% of security and IT leaders and 70% of business leaders reveal that losing all corporate data held on endpoint devices would be business-destroying or seriously disruptive. While 80% of CISOs agree that “you cannot protect what you cannot see,” business leaders think otherwise. The majority of business leaders (82%) believe IT can protect data they cannot see, a glaring disconnect from reality.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.