In a clear demonstration that top executives defy data security best practices and company policy, 72 percent of CEOs admit they've taken valuable intellectual property (IP) from a former employer. Additionally, 93 percent of CEOs say they keep a copy of their work on a personal device, outside the relative safety of company servers or cloud applications. Yet, 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise, showing a disconnect between what executives say and do.
The findings, detailed in the recently released 2018 Data Exposure Report, raise concerns about the role of human emotions in risky data security practices. The findings also underline the need for a realistic data security strategy that not only addresses human behavior, but also takes both prevention and recovery into account. The report includes feedback from nearly 1,700 security, IT and business leaders in the U.S., U.K. and Germany. It was commissioned by Code42, a leading provider of information security solutions, and conducted by Sapio Research.
"It's clear that even the best-intentioned data security policies are no match for human nature," said Jadee Hanson, Code42's chief information security officer. "Understanding how emotional forces drive risky behavior is a step in the right direction, as is recognizing 'disconnects' within the organization that create data security vulnerabilities. In a threat landscape that is getting increasingly complex, prevention-only strategies are no longer enough."
Data is precious, but talk is cheap
While companies spend billions to prevent data loss, the research suggests that data remains vulnerable to employee transgressions — and the C-suite is among the worst offenders. In a clear demonstration of a disconnect between what top leaders say and what they do:
- Almost two-thirds of CEOs (63 percent) admit to clicking on a link they shouldn't have or didn't intend to, putting their corporate and potentially personal data at risk from malware.
- In addition, 59 percent of CEOs admit to downloading software without knowing whether it is approved by corporate security. The majority of business leaders (77 percent) believe their IT department would view this behavior as a security risk, but they do it anyway.
The risks of playing data hide-and-seek
In 2018, the CISO's job is becoming significantly more challenging — even in organizations that have the best cyber security policies and tools in place. The risks boil down to a lack of data visibility:
- With the rise of flexible working practices and the ongoing digitization of information, 73 percent of security and IT leaders believe that some company data only exists on endpoints.
- As many as 71 percent of security and IT leaders and 70 percent of business leaders reveal that losing all corporate data held on endpoint devices would be business-destroying or seriously disruptive.
- While 80 percent of CISOs agree that "you cannot protect what you cannot see," business leaders think otherwise. The majority of business leaders (82 percent) believe IT can protect data they cannot see, a glaring disconnect from reality.
Playing defense in an unpredictable threat landscape
In an evolving threat landscape, companies resigned to data breaches are stockpiling cryptocurrency to pay off ransoms; and the vast majority of stockpilers have actually paid a ransom. In fact:
- Among CISOs, 64 percent believe their company will have a breach in the next 12 months that will go public; 61 percent say their company has already experienced a breach in the last 18 months.
- The threat of cyberattack has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals; of those, 79 percent have paid a ransom.
These findings underscore the unnecessary use of resources to respond to cyberthreats in this way. With a comprehensive data security strategy that includes visibility, companies would have a better understanding of what happened and when. As a result, they would be positioned to recover from data loss incidents much faster.
Ounce of prevention no longer worth a pound of cure
Despite the disconnect between what they practice and what they preach, the report indicates that business leaders understand the need for a multi-pronged security approach in today's complex threat landscape:
- The majority of CISOs (72 percent) and 80 percent of CEOs believe their companies have to improve their ability to recover from a breach in the next 12 months.
- Three-quarters of CISOs (75 percent) and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention- and recovery-driven security.
"The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy," said Rob Westervelt, research director for the security products group at IDC. "To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats."
Note to Editors
About the Code42 2018 Data Exposure Report
The security, IT and business leader portions of the research for this report were conducted by Sapio Research, an independent research consultancy based in the United Kingdom. The survey was completed, via online response, during February 2018.
The respondent breakdown is as follows:
Security and IT leaders:
- USA: 380
- UK: 376
- DACH: 278
- Almost two-fifths (39 percent) of the security and IT leader audience was made up of CIO, CISO, CSO and CTO respondents.
- USA: 200
- UK: 200
- DACH: 200
- More than a quarter (27 percent) of the business leader audience was made up of CEOs.
The research surveyed 1,034 security and IT leaders, including CSOs, CTOs, CISOs and CIOs, as well as 600 business leaders, all with budgetary decision-making power. All respondents came from companies with at least 250 employees. A total of 61 percent of the business leaders, and 58 percent of the security and IT leader respondents represented companies with more than 1,000 employees.