Why Employees Cause Data Security Issues
May 2, 2017
Dell recently put out a great survey that takes a look at how employees understand and act in regard to corporate data security. While there are of course some outlier employees who are trying to steal information, the Dell End-User Security Survey 2017 largely points to a major theme: employees worry about security, they just don’t know that they’re being unsafe or are willing to risk it in order to get the job done. From the survey:
“… even employees who have been educated on the risks of sharing confidential data without following security protocols have not fully “bought into” the consequences that can arise from this behavior. They understand their actions are risky yet still are not deterred by the potential consequences, which feel ethereal compared to the tangibility of their daily workplace tasks.”
By understanding the current state of employee cybersecurity, internal teams can learn how and where to beef up their programs and what additional solutions may need to be introduced to help further strength data security.
The Desire to Do Right
Thankfully, the study found that, overall, employees want to protect confidential information. They understand that risks exist and are even concerned that not being fully prepared or vigilant may cause an issue.
- 65% of employees feel it is their responsibility to protect confidential data
- 22% of employees are worried that they will do something by mistake that will cause a cybersecurity issue
This underlying understanding of an individual’s responsibility to help protect corporate cybersecurity is unfortunately undermined by a general lack of knowledge (even after security training) and pressure to perform. So while employees mostly want to do the right thing, there are a few major obstacles standing in their way that form a large portion of continued security issues.
The Reason Employees Aren’t Secure
While the majority of employees understand the need for cyber security, they don’t always follow through with best practices. The reason for this gap is typically because they’re still unclear about how to protect confidential data or they opt for unsafe practices to achieve better productivity.
Employees are still unclear on security best practices: 
- 18% of employees conducted unsafe behavior (even after going through security training) without realizing what they were doing was wrong
- Only 36% of employees feel very confident in their knowledge of how to protect sensitive company information
- 21% feel it’s difficult to keep up with changing security guidelines and policies
Productivity and ease trump security:
- 21% of employees feel that security measures implemented by IT slows down their work
- 24% of cybersecurity-trained employees conducted unsafe behavior to just get the job done
- 76% feel their company prioritizes security at the expense of employee productivity
This creates a climate where employees may inadvertently cause a data breach despite their best efforts, or worse, cause a breach because they view security as getting in the way of doing their job effectively and efficiently.
Companies Aren’t Doing Enough
The Dell survey makes it clear that organizations need to do a better job of training employees on cybersecurity and find ways to keep policies, procedures and standards top of mind for workers. Organizations also need to find a healthy balance between productivity and security – and ensure that message is reinforced at every level of the organization. (While it’s not a direct example, an unbalanced drive toward results above all else is arguably what caused the major Wells Fargo scandal.)
In light of the findings of this survey, though, it’s clear that organizations that are concerned about cybersecurity – particularly those within highly regulated industries – should consider taking steps that go beyond cybersecurity training. Implementing controls and having a proactive approach to security can take much of the question out of the hands of employees.
For instance, implementing controls that prohibit certain high-risk actions can help combat situations the Dell survey uncovered, such as the fact that:
- 35% of employees take corporate information with them when they leave a company, primarily via USB (61%) or email (58%)
- 56% of employees use public cloud services (like Dropbox, Google Drive and iCloud) to share or back up work
Locking down functions like saving to an external drive or cloud can mitigate this risk, forcing employees to follow the company’s security policies.
Implementing security controls is best addressed based on use cases. Separating employees into use cases allows companies to implement the proper security protocols and controls based on the functions each group needs to perform. Committing to a more customized (rather than a one-size-fits-all) approach to security helps protect employee productivity while minimizing risk and the chance for data mishandling and mistakes.
You wouldn’t give every employee the company’s banking information, so why would you let all employees add attachments to emails if that’s not a necessary part of their job function? Identify high risk functions and disable them for any employee that doesn’t need that ability to perform their job. Think of security controls like the bumpers on a bowling lane. Employees know the goal is to get the ball down the center of the lane, but bumpers are just there to help make sure everything stays on course and in bounds.
Isolate Information for Additional Protection
Another security short-coming within many organizations is not adequately protecting data access.
- 31% of employees say third-party vendors or consultants have access to internal company information systems
- 45% of employees admit to engaging in unsafe behaviors – including accessing confidential information over public Wi-Fi (46%) and losing a company-issued device (17%)
If you leave confidential information accessible and open, you will eventually experience a data breach. End of story. Protect data whether it’s in the hands of a contractor or a thief who stole an employee’s laptop by making sure the data is always stored within a password protected application or – better yet – an isolated, secure virtual desktop environment. This allows account access to be revoked at any time and ensures data is never stored on the endpoint itself where it is vulnerable. (Virtual desktops also make it easier to manage user group controls since every desktop is based off a customizable golden image that allows security and control changes to be quickly and easily pushed to an entire workforce.)
Increase Security
While each organization is clearly different, companies should use Dell’s survey to honestly evaluate their culture and approach to data security. Whether you need more security education, or additional controls and solutions to help continuously guide employees (or both), taking a proactive approach that addresses may of the issues raised by the survey will result in a stronger organization – and less chance of an internally triggered data breach.
Take the time to read Dell’s entire 10 page survey, it includes many more statistics and insights that can help companies understand how to better address security.
You may also like:
More Posts like This
Case Study: Making Remote Medical Coders HIPAA Compliant
Nov 08, 2018
Learn how Dizzion helped Mindseeker create a secure, HIPAA compliant, easily scalable environment for remote medical coders. READ MORE
Who Needs Virtual Desktops?
Nov 01, 2018
Virtual desktops benefit everyone in an organization, but these three personas stand to gain the most and should be the biggest proponents. READ MORE
Why BPOs Trust Dizzion
Oct 18, 2018
With increasing competition and client-driven demand for 24/7 coverage, security and compliance, BPOs are turning to Dizzion as a valued solution provider. READ MORE