Last year's Ponemon’s Varonis-sponsored security study had users and IT practitioners agreeing that managing confidential information was inadequate at their organizations. Since then, the number and depth of attacks have significantly increased.
Let’s look as the study results and see how badly we are screwed.
The Ponemon survey involved 3,000 employees and IT practitioners and it was international in scope (U.S. and Europe). The interviews were conducted in April and May of 2016 with 1,371 end users and 1,656 IT and security professionals. Industries were diverse but a special focus was on financial services, public sector organizations, health care firms, life sciences companies, retail firms, and firms in the industrial, software, and tech segments.
Results: Things Are Degrading Rapidly
Last year, 67 percent of those surveyed indicated they had been breached, suffering a significant loss or theft of company assets over the prior two years. This year, that number is up to 76 percent. When you realize that not all breaches are reported, or even discovered, it suggests that both numbers likely underestimate the problem significantly. Insider negligence is twice as likely to cause the compromise.
Ransomware and other attacks continue to advance. Seventy-eight percent of those surveyed are concerned that they may be attacked. Fifteen percent have been attacked and half of those weren’t aware they had been attacked until the attack had progressed for over 24 hours. In other words, a huge number of people know they are exposed, haven’t significantly mitigated the exposure and, even when attacked, have no good way to identify the attack in order to mitigate the damage.
Access to mission-critical data has increased markedly as well. Eighty-eight percent of the respondents, up sharply from 76 percent last year, indicate that they have access to business critical and confidential information including undisclosed financial reports, classified documents, employee and customer information and contact lists. In addition, 62 percent indicate they didn’t think they were authorized to see much of what they had access to. Only 29 percent of firms enforced some kind of limited information access policy ensuring people couldn’t see things they weren’t supposed to see.
Hillary Clinton isn’t alone with her unsecure email, apparently. Only 38 percent of firms don’t monitor or track file and email activity. This means that over a third of the firms surveyed couldn’t tell if their confidential information was being stolen by an insider or an outsider using an employee’s ID.
Finally, 35 percent of the firms surveyed have no way to determine if they have been infected by ransomware and, if infected, how to assess the damage, let alone mitigate it.
Everyone seems to know we are in an arms race with some hostile hacker types. The vast majority of folks are literally betting their careers that either they won’t be hit, or that the hit they get won’t be blamed on them.
Wrapping Up: How Could Things Be Getting Worse?
I’m trying to wrap my head around this. We know the exposures are increasing, we can see that breaches cause top executives (and politicians) to lose their jobs, and yet fixing the underlying problems appears to remain a low priority. I can’t get over the fact that we appeared to be in better shape in 2014 than we are now. Now Varonis, which has a solution to this problem, does fund the survey, but we just have to look out into the world to realize that, if anything, they are actually understating the problem.
Seriously, this should be a higher priority for many of you than it is. Breaches are bad enough, but if you lose your customer data to a ransomware attack that comes in through an employee, not only are you done but that poor employee likely can kiss his or her career goodbye as well. Read the study. If it looks like you, figure out what it would take to fix the problem and then push it upstairs. The job you save may be your CEO's (and, of course, your own).
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+.