Are employees putting your data at risk?

Locks don't work on those who are already inside
Locks don't work on those who are already inside

With what seemed like continual breach headlines shaking the confidences of nearly every business across every industry in 2014, it is all the more important to button up security practices in the New Year. Now the question becomes: where does one begin when cleaning house?

Survey findings from Ipswitch say start with your employees. In a survey of more than 200 IT professionals and practitioners, Are Employees Putting Your Company’s Data at Risk?, findings show that employees are circumventing IT staff by sending confidential and highly sensitive company files via means that are insecure, lack auditability, and run the risk of exposing an organization’s sensitive data:

  • 84% of employees are using personal emails to send sensitive files
  • More than 50% of respondents expose company files or data by uploading to a cloud-based service such as Dropbox or YouSendIt
  • More than 30% of employees have lost a USB drive containing confidential information

Hackers are constantly on the lookout for ways to steal sensitive data, and some practices by employees are actually making these hackers jobs easier! A vast majority (84%) of the respondents send classified or confidential information as email attachments; and nearly half of them use their personal email to send company documents and data.

Additionally, file transfer sites and cloud services are also making it easier for employees to sidestep IT restrictions and potentially expose sensitive information. More than 50% of respondents expose company files or data by uploading to a cloud-based service such as Dropbox or YouSendIt. There is a lack of visibility and control associated with these methods when files are being transferred, putting them outside any reasonable IT comfort zone and putting organizations at tremendous risk.

Furthermore, when business users aren’t turning to personal email accounts or free file-sharing services to send information, they’re often using USB thumb drives, smartphones or other external devices. These methods are simple, cheap and convenient – but also extremely risky.

For example, in July 2012, a USB drive with data on 14,000 patients and about 200 staff was stolen from the home of an employee of Oregon Health & Science University (OHSU) during a home invasion. This is just one example of the dangers of allowing data to be stored and moved using USB drives versus a secure transfer method. More than 30% of employees in the survey admitted to having lost an external device containing sensitive business or personal information. The survey also revealed that when respondents lost external devices with sensitive business information, 49% did not report it to the IT department. That means companies are often unaware of these disasters until it’s too late for anything except damage control.

These data findings serve as an important reminder that when company systems hinder employee productivity, it’s both a security risk and bad for business. Employees are sending a clear message: if IT doesn’t provide the tools they need to send large and confidential attachments – or if the processes and technologies are too difficult to use – users will take matters into their own hands. In many cases, a managed file transfer solution can be found that offers simple person-to-person file transfer technologies that allow business users to send files of any size simply and securely to anyone at any time in a well-governed way. As employees continue to circumvent IT and use their own tools to send and share files in the workplace, IT must deliver end-user simplicity that meets the governance and control required by the organization.

  • Paul Castiglione is a technical marketer and product evangelist at Ipswitch