By Rick Orloff, Chief Security Officer, Code42
We are not lacking choices: whether it’s in the information we consume, the things we can buy or the ability to express ourselves through multimedia channels. It’s therefore no surprise that our most valuable asset, human capital, is finding ways to work outside of the boundaries of the traditional workplace. Enterprises are increasingly porous, as is the technology infrastructure that is supposed to keep all the bits and bytes of precious corporate data within the corporate infrastructure. This is because we now have an expectation of holding data wherever we are—on endpoint devices such as laptops, tablets and in cloud storage. An enterprise can secure the core, but data has become persistently mobile and accessible outside the corporate network perimeters.
In this rapidly changing and rather troublesome security landscape, we decided in the UK to conduct a piece of research—Code42’s 2016 Datastrophe Study. This research aimed to get under the skin of how chief information officers (CIOs), chief information security officers (CISOs) and IT decision makers (ITDMs) view the porous enterprise. It also collated the views of employees who are holding most of the data outside the perimeter. Working with two independent research partners, we surveyed 400 IT decision makers—including CIOs and CISOs—and more than 1,500 UK-based knowledge workers between the ages of 16-55+, all of whom are working in enterprise size organizations.
The results are startling: 45% of all corporate data today is also held on endpoint devices—according to the IT respondents. Yet, at least one-in-four ITDMs acknowledge that they do not do enough or do not know if they do enough to protect corporate data. Putting this into perspective, the IT department knows it has a problem, but 25% of ITDMs know they are not tackling it. This is a huge risk. An impending data catastrophe. A datastophe! Well, you get the point.
We all know the issues. 88% of CIOs/CISOs and 83% of ITDMs reveal that they understand the serious implications and risks of large swathes of corporate data residing on endpoint devices—stating that losing critical data would be seriously disruptive or could cause irreparable harm to the corporation and its brand. But, awareness of data risk is also felt on the shop floor, with 47% of employees agreeing that the risks of corporate data loss would pose a threat to business continuity.
Yet, despite this understanding, three-in-ten ITDMs (30%) acknowledge that they do not have, or—very worryingly—don’t know if they have a meaningful endpoint data protection security strategy or solution in place. In turn, one in four employees (25%) say they do not trust their IT teams or companies with their personal data. And a further 36% of employees believe their company is at risk of a public breach in the next 12 months. So, the employees in the trenches with the real-world view (that the C-suite sometimes lacks) are worried.
For IT departments, the issues are not just internal. There are added regulatory pressures to consider. Sixty-nine percent of ITDMs say that the upcoming EU General Data Protection Regulation (GDPR) will affect the way they purchase and/or provision data protection and data security tools/solutions. In fact, 76% suggest they will be increasing their security tools and capabilities. Yet, 18% are waiting for the proposed regulatory changes to be finalized before making any commitments—this might be too little too late. Adding new capabilities requires careful planning with CapEx & OpEx considerations and this rarely happens overnight. Add onto this the 43% of ITDMs that say they have been affected by the invalidation of Safe Harbor—which will soon be replaced by Privacy Shield, and you might see ITDM’s engaged in a waiting game a.k.a., analysis paralysis.
Security leaders need clear, effective, and measurable strategies that pursue proactive steps to protect their companies—or risk facing a datastrophe! From the CISO to the technical administrator, each individual needs to work with the lines of business in their organizations. They need to define their unique endpoint risks, embrace the agreed upon solutions(s), and deliver them according to plan—quickly. It’s never too late for a proactive plan.
A last word: The 2016 Datastrophe Study is peppered with commentary from experts who share their views on the future of endpoint data protection including CISO’s, analyst’s and ethical hackers. To participate in the conversation, you can join us @code42 (A malware free site ☺).