Two simultaneous studies polled 1000 employees and 250 IT managers respectively from businesses across UK to discover the importance of IT and data security in the workplace. Rifts in perception versus reality between these two groups revealed habits and knowledge-gaps that compromise UK plc’s cybersecurity.
High-profile breaches have prompted action:
In the wake of high profile data breaches such as TalkTalk, employees and senior management are more aware of the importance of data security; and are taking action. Correspondingly, 44 percent of employees feel their organisation has placed greater emphasis on data security, and 60 percent of IT Managers admit to having taken action as a direct result of high-profile breaches.
§ The majority of employees (31%) describe themselves as the biggest IT security threat to their businesses, followed by hackers (30%)
§ Conversely, IT managers believe hackers represent the greatest threat (37%) followed by employees (24%) and a lack of rigid security policies (22%)
§ Overwhelmingly employees (92%) and IT managers (92%) agree that IT and data security is important to their business § A worrying 12 percent of employees suggest that they never received any training or communication on data and IT security despite 80 percent of IT managers claiming to communicate or train on the subject once a year or more
The call for democratised responsibility:
As employees become more aware of the impact of data breaches, and the need for IT security, they are developing a greater sense of responsibility for protecting company data. Despite a slim majority (41%) believing that the IT team remains mostly responsible for data security; over a third of employees (37%) believe that everyone is responsible for it. IT managers themselves, however, are least likely to apportion responsibility for security to those outside of the IT team with only 10 percent suggesting that IT Security is everyone’s responsibility.
Darin Welfare, Vice President and General Manager EMEA, WinMagic commented: “There is a clear disconnect between employees, who feel that they must share responsibility for security, and those currently seen as ‘in charge’ of this area. As employees bear witness to ever more high-profile contemporary data breaches, they are increasingly aware of their responsibility to share in data security. Businesses and IT managers who recognise and respond to this heightened level of awareness are going to ultimately see more success in implementing policies and systems to best effect.”
Feeling responsible doesn’t mean acting it:
Whilst 80 percent of employees believe methods they use to store company data are somewhat or wholly secure, IT managers remain unconvinced. They are most concerned with security, and the habits of employees, when it comes to storing company data on personal hardware or in cloud environments.
§ 25 percent of employees are actively storing work data on private cloud services, whilst 15 percent are using personal hardware
§ The majority of IT Managers (63%) state that they are concerned about employees storing company data on private cloud; on personal hardware this rises to 68 percent
§ Portable storage devices continue to be a preferred storage option for company data for 20 percent of employees; alongside company hardware (52%)
§ Few IT Managers believe their organisations’ data is completely secure in Private Cloud (13%) or Public Cloud (11%) environments, believing that weak passwords (34%) and users forgetting passwords (35%) represent the biggest security challenges here
Employees are up to twice as likely to take risks on work IT equipment then they are on their own devices but they aren’t alone in that habit. IT managers themselves admit to being even more likely to undertake risky data handling practices than regular employees.
§ Five percent of employees would be ‘very likely’ to open an email from an unknown sender on personal devices; jumping to ten percent on work equipment
§ Fourteen percent of employees would be ‘very likely’ to open e-mail attachments with unrecognised file extensions including .exe extensions on personal devices; jumping to 27 percent on work equipment. For IT managers it is a much more worrying 42 percent and 43 percent, respectively
Businesses are unwittingly assuming business and personal cyber risk
As employees take more risks in handling data at work than at home so too are they likely to feel that personal data storage is more secure at work. When asked where they felt their personal data was most secure employees favoured work IT equipment (37%) over personal equipment (23%) or in the cloud (11%).
Darin Welfare, Vice President and General Manager EMEA, WinMagic continued: “Today’s employee is merging work and personal actions online more than ever before. In preferring work systems to their own, they are indicating a greater confidence in their employer security provisions, whilst forcing businesses to assume added risks associated with actions employees take in securing and managing personal data. The expectation that employer systems present a safer environment in which to take risks poses a notable threat to data security. As businesses seek to ensure a robust and secure infrastructure to secure critical data they need to look to enterprise key and encryption management to shield information against unauthorised access.”
