The state of data protection and privacy in the enterprise
The vast majority of enterprise employees believe their company’s approach to data security is strong, but most severely overestimate their employers’ ability to protect them from data leaks, breaches, and privacy violations.
Despite claiming high confidence in the technical controls and auditing capabilities of their organizations, most enterprise employees acknowledge that inappropriate data sharing happens — and when it does, the impact is significant.
These were some of the key findings of a survey conducted by market research firm Enterprise Management Associates in partnership with Samsung NEXT, the non-profit Center for Democracy and Technology, and email encryption and digital privacy startup Virtru.
The study also posits that while enterprises are investing more than ever before to protect against cybercriminals breaching their systems, the biggest threat to enterprise security often comes from their own employees.
Enterprises in denial
How most firms feel about the security of their data doesn’t actually reflect the reality of the situation. While 87 percent of survey respondents were moderately or highly confident in the effectiveness of their company’s security practices, 96 percent said their data had been inappropriately shared. Even worse, more than half of respondents (56 percent) said inappropriate sharing happened often or very often.
Part of the problem rests in where enterprises think they face the biggest risks. According to the survey, 72 percent of respondents point to external bad actors as the largest threat to confidential information, but the reality is that most of the risk is in-house.
“Most controls are designed to protect the data from external threats, leaving it vulnerable to careless or malicious insiders,” said one survey respondent.
Only 39 percent of breaches could be blamed on malicious outsiders. By contrast, employees were responsible for 60 percent of cases where confidential data is shared, although their actions were not always malicious.
Doing the bare minimum
These disparities don’t reflect a misunderstanding about the importance of enterprise security. Respondents said most enterprise data is worth protecting, either to meet regulations or for corporate confidentiality reasons. That suggests most leaks and breaches affect data they don’t want being shared.
Security experts almost always recommend encryption as a security measure for anything companies want to keep under control, and respondents almost universally (97 percent) agreed that encryption is important or very important to protecting sensitive data.
As we’ve already seen, however, talking the talk doesn’t mean they’re walking the walk. While email is the top source of leaks among respondents, only 44 percent of respondents said they encrypt email.
When it comes to data at rest, only 32 percent of respondents go beyond the encryption that is required to meet regulations. So while enterprises say their data is important, they aren’t willing to take the steps necessary to go beyond the minimum required protection.
“Many of our client organizations have insufficient controls on their data. They still rely on perimeter and other controls to manage data access and flows,” one survey interviewee said. “Only a select few moved to protecting information at the data level with broader use of encryption for data storage and communications. “
Security isn’t easy
Disparities between priorities and practices makes it easy to criticize security among enterprise firms. The truth is, falling short isn’t entirely their fault. Part of the problem lies in how secure tools work: Today’s data protection solutions are not just difficult for consumers to use, but for IT administrators as well.
Of the business leaders surveyed, 57 percent said that difficulty prevented their firms from using security tools like encryption more widely. Almost two-thirds of IT personnel said the complexity of solutions was a major impediment to adoption.
Fortunately, companies want to improve their security. More than 90 percent of enterprises consider the ability to protect sensitive data when choosing a business partner or supplier, and 72 percent would pay more for a cloud service with superior data security. A significant number of respondents said they believe data protection and privacy technologies can differentiate a business.
What this means is that the field is open for companies that make superior security easier for enterprises. As alarming as the today’s failure to protect enterprise data is, the survey shows there’s a huge opportunity for meaningful improvement.