Most employees know how important it is to protect sensitive enterprise information, but in practice many admit they engage in risky behavior.
That’s the conclusion of a new Dell survey of 2,608 professionals who handle confidential data at companies with 250 or more employees in eight countries, including Canada.
Nearly two in three employees (65 per cent) agree it’s their responsibility to protect confidential data, including educating themselves on possible risks and behaving in a way that protects their company.
But 45 per cent of respondents admitted to engaging in unsafe behaviors throughout the workday, says the study. For example, 46 per cent admit to connecting to public Wi-Fi to access confidential information, 49 per cent to using personal email accounts for work. Seventeen per cent admitted to losing a company issued device.
Canadian respondents had nothing to boast of: 57 per cent admitted using corporate-issued devices to access personal social media accounts, second highest of all eight countries surveyed.
Those in highly regulated organizations are worse: 48 per cent said they have connected to public Wi-Fi to access confidential work information, more just over half have used personal email accounts for confidential work communications. More than one in five (21 percent) have lost a company-issued work device.
These numbers are even higher among employees of small to mid-size organizations surveyed, said the report.
“Perhaps one of the most shocking findings is that more than one in three employees (35 per cent) say it’s common to take corporate information with them when leaving a company,” says the report.
Imran Ahmad, partner and national leader of the cybersecurity law practice at Toronto-based Miller Thomson LLP, said in an interview the report underscores that many organizations aren’t giving staff security awareness training, or if they do it isn’t sinking in. “A lot of people don’t do the training. And when you get to the enterprise [large organization] level it’s a mixed bag: Some are great and they do actually track and audit” who is trained. “But the vast majority may get one training session.”
“You need the constant refresher, and that’s part of the fiduciary responsibility of the board.”
Interestingly, only 36 per cent of respondents very confident in their knowledge of how to protect sensitive company information. While two in three said they are required to take cybersecurity training on protecting sensitive data, 18 per cent still conducted unsafe behavior in the workplace without realizing what they were doing was wrong, says the report. A quarter of respondents who had been trained said they did unsafe things because they just wanted to get their job done.
Twenty-one percent said the security put in place by IT slows down their work, while 21 per cent feel it’s difficult to keep up with changing security guidelines and policies.
The report concludes policies on confidential data usage and sharing in many companies are either unclear or not comprehensive enough to cover a range of office work.
“Organizations must stop simply telling employees not to share confidential information,” it says, “and instead unlock the ability for them to share confidential data when it makes sense, but in a secure and simple fashion,”
To that end it recommends data protection and security officers:
–Create simple, clear policies and ensure they outline steps for handling common scenarios that employees experience;
–Embrace and enable productivity — that is, find a way to balance security with meeting business objectives. “If data security policies encumber workforce momentum, employees will find a way around them;”
–Adopt technology solutions that protect data wherever it goes.