Overconfident Employees and the Lack of Security Tools Lead to Risky Business

Transcription

1 White Paper Overconfident Employees and the Lack of Security Tools Lead to Risky Business A SilverSky Survey of Security Habits SilverSky 440 Wheelers Farms Road Suite 202 Milford CT silversky.com 2013 SilverSky

2 P.2 Overconfident Employees and Lack of Security Tools Lead to Risky Business White Paper Introduction It s well documented in social and behavioral psychology that people tend to suffer from overconfidence when comparing their own behavior to others. After all, it s human nature to believe that one is better or at least no worse than his/her friends, neighbors and coworkers. SilverSky recently conducted a survey among business users to assess security habits and perceptions. What we found fell in line with the Lake Wobegon Effect (i.e., overconfidence) of users believing that they are more secure than their fellow coworkers. However, this overconfidence on the part of employees could potentially be dangerous for businesses, since it could lead to poor security habits which ultimately lead to real legal, regulatory and reputational risks through data loss. Concerned but Confident A total of 119 business users across various industries responded to this survey, and when it comes to security in the workplace, most employees think they have safer habits than others. In fact, when it comes to security, 98 percent of employees claim they re either equal to or better than their careless co-workers. Specifically, nearly 43 percent of surveyed business users said they are very concerned go above and beyond the company-prescribed procedures to protect their business communications, while 30 percent claim to be much more security conscious than their coworkers. Additionally, more than half (53 percent) are also quick to throw others under the bus, saying they ve received unencrypted, sensitive data from sensitive attachments to social security numbers to private health information via . Yet only 17 percent admit to sending out this risky data themselves. Are just a small minority of individuals with poor habits responsible for the majority of risky s and sensitive data loss? Which statement applies to you with respect to security? 52.1% I am somewhat concerned follow the basic company prescribed procedures to protect my communications. 42.9% 5.0% I am very concerned go above and beyond the company prescribed procedures to protect my communications. I am not really concerned typically don t follow the company prescribed procedures. Figure 1: Users are generally concerned about security 1

3 P.3 Overconfident Employees and Lack of Security Tools Lead to Risky Business White Paper Are you more security conscious about than your coworkers? I am about the same as my coworkers. 23.7% 29.8% I am much more security conscious than my coworkers. I am a little more security conscious than my coworkers. 44.7% 1.8% I am less security conscious than my coworkers. Figure 2: Overconfidence in being more security conscious Top Security Threats We also asked respondents to tell us how concerned they are with particular threats (scoring is based on 1 being very concerned, 2 somewhat concerned, and 3 not concerned). By far the greatest perceived threat is s with malware, with an average rating of 1.52 (somewhere between very and somewhat concerned). The next top two threats were fairly close, with average ratings of 1.62 and 1.68 respectively for s being shared with unintended recipients and phishing s. Finally, the bottom two threats scored 1.88 and 1.91 respectively for junk mail and s being intercepted by bad guys. Please tell us how concerned you are for each threat to your security. s with malware sent to you. Your s being shared with unintended recipients. Phishing s sent to you. Junk sent to you. Your s being intercepted by bad guys. Figure 3: Top security concerns

4 P.4 Overconfident Employees and Lack of Security Tools Lead to Risky Business White Paper anti-virus protection has come a long way over the past few years, but clearly malware is still a top of mind concern for business users. Nearly 60 percent said they were very concerned about malware probably due to the fact that malware typically causes more immediate damage to one s computer system. However, the next highest scoring concerns show that the landscape is evolving. Phishing s don t usually post the same havoc-wreaking threat to a computer that malware does, but rather they are used to gather sensitive information for some malicious activity, like identity theft. Likewise, the concern over s being shared (as opposed to being intercepted) by others also poses a similar threat in terms of losing sensitive data. Do No Evil, But See Plenty of Evil Next, we asked respondents to tell us which security faux pas has happened to them. Surprisingly, 25 percent of respondents claim to not have experienced any of these common mistakes. Is this group much more security conscious than their coworkers, or are they very concerned with security? In fact, the answer is no to both. Of this 25 percent who have done no wrong, only 35 percent said they are very concerned about security, while 55 percent think they are not any more security conscious than others. For those who have committed some sort of sin, the most common occurrences by far were sending s to the wrong person by mistake and receiving unencrypted s with sensitive information in them. However, although more than 50 percent received sensitive information in the open, only 21 percent and 17 percent have claimed to have sent unencrypted, sensitive corporate info or personal identifiable information (PII), respectively. Which of the following scenarios apply to you? (check all that apply) I ve sent an to the wrong person/address by mistake. I ve received unencrypted s with sensitive info* in the body of an without using encryption. 56.1% 52.6% I have done none of the above. 25.4% I ve sent sensitive corporate info* without using encryption. 21.1% I ve included sensitive info* in the body of an without using encryption. 16.7% *Sensitive info includes credit card numbers, social security numbers, financials, internal documents, etc. Figure 4: Common security faux pas

5 P.5 Overconfident Employees and Lack of Security Tools Lead to Risky Business White Paper Additionally, we asked whether the respondents knew of anyone in their companies who have been reprimanded for sending out sensitive information unintentionally. One in five respondents said yes, while 24 percent were unsure. Compared to 53 percent of respondents having received sensitive, unprotected content, this would indicate that companies are not able to fully track data leaks and take actions to address or prevent such risky behavior. Improving Security Finally, we asked a series of questions about what tools are in place to help improve security and what users think of their companies current security posture. For tools, we asked about the use of content filtering or data loss prevention (DLP) and encryption solutions. Only 32 percent of respondents said their companies use filtering, and even fewer than 21 percent said they have adopted encryption. There is also a very high percentage of respondents that said they are unsure if either solution is employed at their companies, 23 percent for DLP and 34 percent for encryption. This may indicate a lack of training and awareness, both of which are critical to helping ensure proper security. Not surprisingly, when we asked how potentially having or actually using DLP or encryption made one feel about sending , 93 percent and 97 percent respectively said they would feel more secure. When it comes to overall security, 46 percent of business users said their companies could be doing more. Specifically, 68 percent of respondents said that IT should focus more on preventing employees from inadvertently ing out sensitive information, versus 32 percent saying that willful and malicious data loss on the part of employees is the greater threat. Conclusion Poor security habits on the part of employees are a big cause of compliance and business risks for companies. In this SilverSky survey of business users, we find that in general, employees are concerned about security (95 percent), but too many think of themselves as more security conscious than their colleagues (54 percent). This hubris in turn could lead to careless behavior such as sending s to unintended recipients (56 percent), receiving sensitive data in unencrypted s (53 percent), or sending out confidential corporate information or PII (38 percent combined). At least 20 percent of respondents know of a coworker who has been reprimanded for sensitive information leaks via , but only 32 percent of companies use an DLP solution and even fewer (21 percent) use encryption. As such, 46 percent of respondents feel that security could be improved at their companies. IT has typically shied away from implementing too many tools that could hamper usability or that end up, as the saying goes, just keeping honest people honest. But it appears that solutions such as DLP and encryption would serve to protect users from the most likely threat themselves as 68 percent of respondents said that the greater threat to businesses are employees unintentionally sending out sensitive information via .