Security vendor Code42 has released its 2018 Data Exposure Report (registration required). At 32 pages, it takes a little time to read and digest. Its key message is that human behaviour is the biggest problem when it comes to data leaks. This is not just about people continuing to click on dodgy links and falling for phishing attacks. It is about arrogance and the assumption that security rules don’t apply to certain people.
For security teams, this message is nothing new. Most if not all security teams have dealt with director and C-suite level individuals who have been responsible for leaking data or causing a cyber security incident. Yet when challenged, this group, more than any other, fails to accept its responsibility. The report states: “emotionally driven employee behavior—particularly in the C-suite—puts company security at risk.”
This report replied on the responses of over 1,000 security and IT leaders, CSOs, CTOs, CISOs and CIOs, as well as 600 CEOs and business leaders All of the respondents said they had budgetary decision-making power.
CEOs and business leaders ignoring the law on IP
Data loss is not all about hacking. It is about the protection of intellectual property (IP).
UK law firm Shoosmiths LLP says: “The general rule in relation to IP created by an employee during the course of their employment is that, in the absence of agreement to the contrary, the first owner is the employer.” It is a view that has been upheld by British and other courts around the world.
The majority of CEOs and business leaders in this report take a contrary view. While some accept that the company may have some rights, the rest believe that they created and own it. Having decided that they own it, they also believe that they can take it with them to a new job.
The biggest offenders are CEO’s, CMO’s and CFO’s. These are three key members of the C-suite often jointly responsible for the direction of the company. By taking company IP with them they are, in effect, stealing commercial secrets from a company.
The boardroom likes to click
It doesn’t matter what job people have, they like to click on links, even when they shouldn’t. What matter, at least in the enterprise, is what you do after clicking on a potentially dodgy link. The majority of organisations have security policies that require users to report such mistakes to IT security. This is to help ensure that monitoring can be put in place to mitigate any potential attack as a result.
When it comes to the C-suite and business leaders, company policies go out the window. In their place is blind faith, prayer and hope all mixed in with a little forgetfulness. It also appears that senior officers inside organisations believe they have more tech skills than IT gives them credit for. The lack of trust is mutual with over 20% of the C-suite believing IT wouldn’t know what to do.
The report asked: “why they would chose not to report what they had done to IT”. They said:
|It was something I could sort out myself||38%||36%|
|I didn’t think it posed any risk to my company’s security||24%||20%|
|I was afraid of the repercussions||23%||26%|
|I hoped nothing would happen||22%||27%|
|I didn’t think it mattered||20%||20%|
|I forgot to do anything about it||16%||17%|
|They wouldn’t know what to do anyway||15%||21%|
Using personal software and not backing up
Bring Your Own Device (BYOD) has created a problem for many IT department. Users bring their own devices to work and then use them for company business. This means that they store data in consumer rather than enterprise grade applications. There are several risks here:
- Where is the data stored?
- Is the data encrypted?
- Has the data been stored or backed up on company systems?
All of these lead to data leakage and, in the last case, create a significant risk of total loss of data. The report shows that business leaders and the C-suite are no different to other users. They like their personal devices and cool software apps. They use them for business purposes and don’t bother to check if data is backed up to company servers.
Yet these are people who often handle and access the most sensitive data an enterprise has. If the data is lost it can have a significant impact on the business. In addition, they also reuse their security credentials across the insecure services. This means that a data breach at their favourite app not only risks losing access to the only copy of data but also gives attackers access to company servers and data.
If IT cannot see the data, it cannot protect it. If the data is stored in the cloud it could end up creating a privacy and security problem. Users do not check that their data is geo-fenced. Country after country is enacting law to keep certain data in-country. If business leaders and the C-suite can’t be bothered then neither can users.
What does this mean
The sound of IT security pros shrugging their shoulders at many of these findings is almost deafening. The assumption by those at the top of organisations that rules do not apply to them is nothing new. In this case, the impact of those decisions can be business threatening.
The taking of IP when a senior company officer moves to another job is theft. There is no other word for it. Leaving highly sensitive company data unprotected or not copying it to company servers is negligence.
This report will amuse many in IT security but should be read carefully by non-executive directors. It is their responsibility to call the C-suite to account. It’s time for some hard questioning in the boardroom.