Remote Work Compounds Insider Threats
While 91% of IT leaders trust their staff to follow best security practices when working remotely, over half of employees (52%) believe they can get away with riskier behavior when working from home. Half (48%) cite “not being watched by IT” as a reason for not following safe data practices, closely followed by “being distracted” (47%). Additionally, staff report that security policies are a hindrance — 51% say such policies impede productivity and 54% will find workarounds if security policies stop them from doing their jobs.
Eighty-four percent of IT leaders also say data loss prevention is more challenging when employees are working from home and 58% of employees think information is less secure when working remotely.
Data Loss is Pervasive and IT Leaders are Struggling to Contain It
According to the 2020 Verizon Data Breach Investigations Report, 30% of breaches involve internal actors exposing company information, as a result of negligent or malicious acts. Insider threats and data loss over email is particularly challenging for IT leaders to control, due to lack of visibility of the threat. Key findings from Tessian’s report reveal:
· U.S. employees are more than twice as likely as UK workers to send emails to the wrong person (72% vs. 31%).
· IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year. Yet, Tessian data reveals that employees send at least 800 misdirected emails per year —1.6x more than IT leaders estimate.
· U.S. employees are twice as likely to send company data to their personal email accounts than their UK counterparts (82% vs. 35%).
· IT leaders in US organizations with over 1,000 employees estimate that just 720 emails are sent to unauthorized accounts a year. The reality, according to Tessian data, is at least 27,500 unauthorized emails are sent a year — 38x more than IT leaders estimate.
· One-third (34%) of employees take company documents with them when they leave a job, with U.S. workers twice as likely as UK workers to do so (45% vs. 23%).
IT leaders rely on security awareness training, policies and legacy technologies to prevent data loss, yet these practices may not be as effective as they think. The report finds that employees who receive security training every 1-3 months are almost twice as likely to send company data to personal accounts as those who receive training once a year (80% vs. 49%).
“Businesses have adapted quickly to the abrupt shift to remote working. The challenge they now face is protecting data from risky employee behaviors as working from home becomes the norm,” said Tim Sadler, CEO and co-founder of Tessian. “Human error is the biggest threat to companies’ data security, and IT teams lack true visibility of the threat. Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance. It’s critical these solutions do not impede employees’ productivity though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.”
Differences by Age and Company Size
In addition to differences in safe security practices by region, there are also notable contrasts among age groups and startups vs. large enterprises. For example:
· 50% of workers from small companies (2-49 employees) agree they’re less likely to follow safe data practices when working from home, compared to only 30% from companies with 1,000 employees or more.
· Workers in the 18-30 age demographic are 3x more likely to send emails to the wrong person — 69% vs. 21% of workers who are 51 or older. And while 31-40 year olds are more careful on email, over half (57%) admit to sending misdirected emails.
· 41% of workers aged 18-30 have taken company documents with them when they’ve left a job, compared to only 13% of workers aged 51 and older.