Today’s organisations are porous; data is no longer safely tucked away inside the traditional enterprise security perimeter. According to new research by Code42, chief information officers (CIOs), chief information security officers (CISOs) and IT decision makers (ITDMs) believe that as much as 45% of all their corporate data is held on endpoint devices. The serious implications and risks of this are understood at the top of the IT organisation—with 88% of CIOs/CISOs and 83% of ITDMs stating that losing this data would be seriously disruptive or even business destroying. But, awareness of data risk is also felt on the shop floor, with 47% of knowledge workers agreeing that the risks of corporate data loss would pose a threat to business continuity. Yet, despite this understanding, 30% of ITDMs admit that they do not have, or do not know if they have, an endpoint data protection (backup) strategy or solution in place. These findings are revealed in Code42’s 2016 Datastrophe Study, which surveyed 400 IT decision makers—including CIOs and CISOs—and more than 1,500 UK-based knowledge workers between the ages of 16-55+, all of whom work in enterprise-size organisations.
Data protection is fundamental to the smooth and successful running of enterprise businesses today. It is also integral to mitigating reputational risk. Eighty-nine percent of CIOs/CISOs and 80% of ITDMs say that their ability to protect corporate and customer data is vital or very important to their company’s brand and reputation—a sentiment that 74% of knowledge workers agree with. But, even when considering the growing threat landscape, more than a quarter (28%) of ITDMs suggest that they do not do enough, or are not sure that they do enough to protect corporate data. This will be of great concern to knowledge workers, of whom at least one-third (36%) believe the business they work for may be at risk of a data breach (that could go public) in the next year.
“What's clear from the 2016 Datastrophe Study is that more needs to be done to protect the enterprise. CISOs need to stop being the custodians of security and start taking the position of service providers and consultants to the business. While decisions around IT projects should be driven by the business, lines of business managers should be working closely with their CISOs to ensure projects measure up to the rigours of modern enterprise security. It's no longer enough for the general IT team to give advice—often based on what they 'can' or want to provide—on information and data security,” comments Phil Cracknell, founding member at ClubCISO, who reviewed the study’s findings.
Uncertainty around data protection strategies is no longer an option, especially when you consider the rapidly changing data protection policy landscape and pre-existing trust issues. Sixty-nine percent of ITDMs suggest that the upcoming General Data Protection Regulation (GDPR) will affect the way they purchase and/or provision data protection and security tools/solutions. In fact, 76% suggest they will be putting in additional security measures in place. Yet, 18% are waiting for everything to be finalised before making changes. This will not be welcome news to at least a quarter of knowledge workers (25%), who say they currently do not trust their IT teams or companies with their personal data.
“It is Quocirca’s belief that organisations have to put in place adequate measures to ensure a higher degree of data protection and security. Endpoint data management is a necessity along with data loss prevention (DLP) software and data encryption. Data should be centralised wherever possible and tracked and controlled through digital rights management (DRM) solutions whenever it leaves the control of that central point. Mobile devices should be virtualised and sandboxed to prevent movement of data from the corporate space to the public one. Attempting to rely on the knowledge and goodwill of a changing workforce is not enough—the right tools have to be put in place,” adds Clive Longbottom, founder and analyst at Quocirca.
Now is definitely the time for change, and it is starting to happen. Sixty-nine percent of ITDMs say they should be doing their best to provision data security that matches end-user expectations and working patterns. And a further 54% of knowledge workers and 38% of ITDMs believe there should be more investment into endpoint data protection in their organisations.
“Today, in large part due to the onset of flexible working and increased mobility of knowledge workers, the majority of the data we carry is at the endpoint. This newfound mobility of data, combined with a rapidly evolving threat landscape is causing enterprise IT security—which traditionally relied on locking data away safely in the datacentre—to go through a dramatic transformation. IT and information security teams need to find powerful new solutions that will keep data safe—wherever it might be. The time for change in the enterprise is now—from the C-suite to the knowledge worker,” concludes Rick Orloff, CSO at Code42.
About the 2016 Datastrophe Study
The IT decision maker portion of the research for this report was conducted by RedShift, an independent research consultancy based in London. 400 IT decision makers, including CISOs and CIOs within companies of 500+ people, who have decision-making power where budgets are concerned, completed an online study during November 2015.
At the same time, the knowledge worker—end users who are in full-time employment with access to technology as part of their day-to-day jobs—study was conducted by CensusWide, another independent research consultancy based in London. 1,500 knowledge workers, including CEOs, directors, team leaders and employees, completed an online study during November 2015.
2016 Datastrophe Study Media Assets: