Varonis-Sponsored Ponemon Institute Report Examines Widening Gap Between End Users and IT Professionals as Data Breaches Increase
At a time when ransomware and other attack techniques that exploit insider negligence become rampant, only 39 percent of end users believe they take all appropriate steps to protect company data accessed and used in the course of their jobs. This is a sharp decline from 56 percent in 2014, according to a new survey of more than 3,000 employees and IT practitioners across the U.S. and Europe. The report was conducted by the Ponemon Institute and sponsored by Varonis Systems, Inc. (NASDAQ:VRNS), a leading provider of software solutions that protect data from insider threats and cyberattacks.
Moreover, while 52 percent of IT respondents believe that policies against the misuse or unauthorized access to company data are being enforced and followed, only 35 percent of end user respondents say their organizations strictly enforce those policies.
The new release, “The Widening Gap Between End Users and IT,” compares end-user practices and beliefs with those of their colleagues in IT security and IT generalist roles. This new analysis draws from the same data released by Varonis and the Ponemon Institute August 9, 2016, in a report entitled “Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations,” which found a sharp rise in the loss or theft of data, an increase in the percentage of employees with access to sensitive data, and the belief among participants that insider negligence is now the #1 concern for organizations trying to prevent these losses.
The survey results are derived from interviews conducted in April and May 2016, with 3,027 employees in the United States, United Kingdom, France, and Germany. Respondents included 1,371 end users and 1,656 IT and IT security professionals, in organizations ranging in size from dozens to tens of thousands of employees from a variety of industries including financial services, public sector, health care and life sciences, retail, industrial, and technology and software.
Among the key findings:
- Sixty-one percent of respondents who work in IT or security roles view the protection of critical company information as a very high or high priority. In contrast, only 38 percent of respondents who are considered end users of this data believe it is a very high or high priority.
- Asked about their organization’s attitude on productivity vs. security, 38 percent of IT practitioners and 48 percent of end users say their organizations would accept more risk to the security of their corporate data in order to maintain productivity.
- Asked to agree or disagree that the protection of company data is a top priority for their CEO and other C-level executives, only 35 percent of end users agreed while 53 percent of IT professionals believe it is a top priority for senior executives.
- Asked for the most likely causes of the compromise of insider accounts, 50 percent of IT practitioners and 58 percent of end users say negligent insiders. “Insiders who are negligent” was by far the most frequent response for both IT and end users, more than twice as common as “external attackers” and more than three times as common as “malicious employees.”
- End users are far more likely to attribute data breaches to insider mistakes than IT or security professionals. Seventy-three percent of end users say data breaches are very frequently or frequently due to insider mistakes, negligence or malice, while only 46 percent of IT respondents draw the same conclusions.
Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute, a leading research center dedicated to privacy, data protection and information security policy, observed, "At a time when one would expect general improvement in end-user hygiene due to increased awareness of cyberattacks and security breaches, this survey instead found an alarming decline in both practices and attitudes. If an organization’s leadership does not make data protection a priority, it will continue to be an uphill battle to ensure end users’ compliance with information security policies and procedures. Major differences between the IT function and end users about appropriate data access and usage practices make it harder to reduce security risks related to mobile devices, the cloud and document collaboration.”
Yaki Faitelson, Co-Founder and CEO of Varonis, said, “Human error will always be a weak link in security. Insiders compromise security maliciously or accidentally and outside attackers continue to hijack the credentials and systems of employees, administrators, contractors, and executives. The only way to stem this tide is to implement controls on data access, monitor all activity and implement the most advanced user behavior analytics and alerting technologies throughout the organization.”
Varonis is a leading provider of software solutions that protect data from insider threats and cyberattacks. Through an innovative software platform, Varonis allows organizations to analyze, secure, manage, and migrate their volumes of unstructured data. Varonis specializes in file and email systems that store valuable spreadsheets, word processing documents, presentations, audio and video files, emails, and text. This rapidly growing data often contains an enterprise’s financial information, product plans, strategic initiatives, intellectual property, and confidential employee, customer or patient records. IT and business personnel deploy Varonis software for a variety of use cases, including data security, governance and compliance, user behavior analytics, archiving, search, and file synchronization and sharing. With offices and partners worldwide, Varonis had approximately 4,800 customers as of June 30, 2016, spanning leading firms in financial services, healthcare, public, industrial, insurance, energy and utilities, media and entertainment, consumer and retail, technology and education sectors.