Embed Size (px)
Citation preview
2013 ‘The Enemy Within’ Report
Loudhouse – AUS Edition
Commissioned by Clearswift
White paper www.clearswift.com
| 2 | Clearswift The Enemy Within www.clearswift.com
www.clearswift.com Clearswift The Enemy Within | 3 |
Table of Contents
Executive Summary 4
Awareness and impact of data breach legislation 6
IT security drivers and priorities 7
The security threat landscape 8
Identifying “the enemy within” 9
Moving forward 10
Conclusion 11
About Clearswift 12
Executive Summary The amendments to the Privacy Act, due to come into effect in 2014, reinforce both the importance and significance of upholding data security. Data protection has long been a priority for many businesses, but many high profile cases, combined with tightening legislation, has seen information and data security become a top business objective. The rise in technology trends such as Bring Your Own Device (BYOD), cloud computing and big data only serve to create further problems for decision makers already under intense pressure to improve their level of protection against a whole range of security threats. Whilst businesses may be preoccupied with safeguarding their data against malicious external dangers, they are allowing threats closer to home to develop.
Clearswift, a leader in communication security, commissioned Loudhouse to conduct research to identify the extent to which internal security threats are affecting Australian businesses and how best to manage them moving forward.
The research findings show that, although security strategies are driven by the need to protect against external threats, businesses are more likely to encounter breaches within their own extended enterprise. However, rather than being the result of any malicious intent, such breaches emerge from a lack of awareness and understanding by employees who mix their own way of working with a system underprepared for it.
Key findings from the research include:Awareness and impact of data breach legislation• One in three organisations are unaware of the Privacy Act 2012
• Such awareness however drops for the amended data breach legislation, 2014 – with over two thirds (35%) of organisations unaware of the changes currently from parliament
• With these changes to legislation imminent, the biggest concerns are around employee compliance (31%) and potential reputational damage (31%), although the costs associated with compliance (19%) and financial penalties that may result from non-compliance (7%) are also on the radar
IT security drivers and priorities • Improving or maintaining IT security is a top three priority (46%) – other key priorities are
maintaining or improving IT infrastructure (45%), regulatory compliance (39%) and improving IT / business alignment (38%)
• 70% believe data security is a high priority compared to other objectives within their organisation
• 78% feel it is difficult to keep up with the ever changing security landscape and 84% think the adoption of new technologies in the organisation requires constant security innovation and changes in policy
• 83% think all companies should be more forthcoming about reporting major security breaches / attempts
The security threat landscape• A quarter (24%) are aware of IT security breaches within their organisation
• Only 23% of companies are considered “security savvy” (highly confident that they have necessary resources to manage all IT security incidents)
• Employees are most likely to be seen as the source of data security breaches (44%), whilst 20% say ex-employees are a source and 21% say customers, partners or suppliers. 42% see parties outside / unknown to the organisation as a source of security breaches
Research Methodology
200 online interviews were conducted with decision makers responsible for compliance, security, privacy or IT in companies in Australia during August 2013. Interviews were conducted across a range of industry sectors and organisation sizes. Research was conducted by Loudhouse, an independent research agency based in London.
| 4 | Clearswift The Enemy Within www.clearswift.com
Figure A: Research Sample
Company Size
5,000+employees
250 - 249employees
29%28%
1000 – 5,000employees
250 – 999employees
19%
Sector
14%
14%
9%
7%
6%
6%
6%
5%
5%
5%
Public Sector
Manufacturing /construction
IT / telecoms
Utilities / transport
Finance & Banking
Education
Engineering
Retail / wholesale
Healthcare
Defence / Aerospace
3%
3%
1%
1%
1%
Business services
Legal services
Publishing / media
Insurance
Hospitality / leisure
13%Other
24%
…ignoring the internal threat is no longer an option
Identifying the “enemy from within”• 42% of companies are positively accepting the BYOD trend – the remainder are blocking access
where possible (36%) or denying it is happening (11%)
• 61% believe that users will continue to use their own devices on the network whether it is sanctioned or not
• Inadvertent human error (85%), lack of awareness of IT security issues (83%) and introduction of viruses via personal devices (80%) are the key internal security concerns
Moving forward• Organisations see education of end-users (57%), understanding the location of company critical
data (52%), the use of more advanced / intelligent IT security tools (52%) and clearer, more enforceable security policy (46%) as critical in managing IT security threats in the next two years
• 90% say that collaboration between IT and the business is the best way to manage IT security threats
Rather than resisting the use of personal devices and applications in the work-place, organisations must look to educate employees about the potential dangers and better communicate their own security policies to them. By increasing the level of employee understanding, combined with installing more sophisticated data protection tools, businesses can enjoy a greater level of data security whilst complying with tightening regulation.
www.clearswift.com Clearswift The Enemy Within | 5 |
Figure 1: Awareness of Privacy Act 2012
Figure 1
Never heard of it Very aware
Not particularly aware Quite aware
28%
7% 26%
39%
Figure 2
None of these Costs to prepare forlegislation
Fines associatedwith potentialdata breaches
Employees not complyingwith legislation
7% 31%
Reputation of organisation ifbreach occurs and policies don’t comply
31%
19%12%
Figure 2: Biggest concern ahead of Data Breach legislation
Awareness and impact of data breach legislationReforms to the Privacy Act, due to come into effect March 2014, intend to introduce a set of new principles that will regulate the handling of personal information by both Australian government agencies and businesses. The impact of these changes is likely to have far-reaching repercussions for businesses, yet a significant minority of businesses are unprepared for such changes. Over one third (35%) of Australian businesses admit to being in the dark about the impact of the Privacy Act 2012 (see Figure 1).
However, the issue around awareness becomes particularly alarming given the mandatory data breach legislation which will come into effect next year. In taking significant steps to improving data transparency and accountability, the proposed data breach legislation requires organisations to notify customers if unauthorised individuals or organisations access their personal information, or if organisations themselves lose personal information. The preparation for such legislation is extensive, yet nearly three in four businesses (73%) admit to not even being aware of it.
Whilst businesses may have the necessary systems and practices in place to cope with change, in order to fully comply with legislation their employees must be fully on-board. Yet two-thirds of organisations (65%) admit that their employees are not prepared for forthcoming legislation.
A lack of awareness, combined with minimal preparation, is likely to spell trouble for companies. Employees not complying with legislation (31%) is the biggest concern for businesses ahead of agreed legislation next year coupled with the impact to reputation if breaches occur (31%). The cost needed to prepare legislation (19%) and possible fines associated with potential data breaches (7%) are further concerns (see Figure 2).
Businesses should take the necessary steps to ensure they are prepared and are ready to comply with legislation. However, the real focus should be on preventing breaches in the first place. The impact of a security breach is likely to cause significant reputational damage, and this is only likely to grow as threats evolve and legislation increases transparency.
| 6 | Clearswift The Enemy Within www.clearswift.com
Figure 3: IT priorities Figure 4: Key drivers of IT security
46%
45%
39%
38%
33%
28%
27%
27%
24%
8%
Improving andmaintaining IT security
Maintaining or improvingIT infrastructure
Regulatory compliance
Improving IT /business alignment
Corporate governance
Technologysimplification
Reducing overallIT costs
Driving growth /innovation
Skills development /recruitment
Reducing IT energyconsumption
2%None of the above
Figure 3
65%
62%
47%
47%
44%
33%
22%
14%
10%
8%
Protecting sensitive data /information from external threats
Compliance
Safeguarding customers’trust in organisation
rotecting sensitive data /information from internal threats
Upholding organisation’sreputation
Technologyinnovation
Internal collaboration
Driving growth /innovation
Managing greater employeeautonomy (e.g. BYOD)
APT (Advanced Persistant Threat)
1%Other
2%None of the above
Figure 4
IT security drivers and prioritiesBusinesses are constantly faced with new, complex and varied security threats. Systems which are out-dated or fail to respond to the changing security landscape run the risk of exposing their infrastructure to a wide range of dangers, and consequently, leave their company vulnerable to attack. Such is the need to keep pace with the current threats that improving and maintaining IT security (46%) is the top priority with regards to organisational data security over the next 12 months (see Figure. 3). Further priorities include maintaining or improving IT infrastructure (45%), upholding regulatory compliance (39%) and improving IT / business alignment (38%).
Beyond immediate costs and fines, the impact of a security breach can have far-reaching implications for a company, with trust and integrity at risk of erosion. As such, data security is no longer seen as the sole responsibility of the IT department but instead a collective duty the business as a whole should share. Indeed, 70% believe data security is a high priority compared to other objectives within their organisation, highlighting the importance of data security alongside other key business metrics such as profit margins, corporate responsibility and employee engagement.
The growing need for greater data protection is driven by businesses’ perceived fear of threats which lurk outside their company. Nearly two-thirds (65%) state that protecting sensitive data from external threats is a key driver in determining their overall data security strategy (see Figure. 4). Comparatively, just under a half (47%) see protecting sensitive data from internal threats as a key driver. Further drivers include compliance (62%) and the need to safeguard customers’ trust in their organisation (47%).
However, new technologies have changed the dynamic of how security breaches are managed. The consumerisation of technology has seen end users become increasingly empowered in recent years. Trends such BYOD (Bring Your Own Device) provide an opportunity for employees to enjoy greater flexibility and autonomy, but at the same time IT departments are losing their grip over the tools they use. 84% think the adoption of new technologies in their organisation requires constant security innovation and changes in policy. Furthermore, subsequent change brings with it both uncertainty and complexity, with 78% believing it is difficult to keep up with the ever changing security landscape.
www.clearswift.com Clearswift The Enemy Within | 7 |
Figure 5: Confidence in managing security threats
Figure 6: Perceived source of security threats
20%
Figure 5
How confident are you that your organisation currently has the necessary resources,skills, technologies and processes in place to manage all IT security threats,whether internal or external?
All
Security savvyHighly confident...
Security seekersQuite confident...
Security shyNot confident...
34%
59%
18%23%
5000+employees
50 - 249employees
250 - 5000employees
54%
14%
57%
60% 22%
22% 18%
Figure 6
What proportion of IT / data security incidents in the last 12 monthswould you estimate originate from the following sources?
The extendedenterprise
Outside the organisation(by parties unknown to the
organisation)
42%
Employees Ex-employees Third parties(customers, suppliers,
partners)
21%20%44%
100%
The security threat landscapeSecurity breaches provide a constant challenge for businesses. One in four (24%) organisations indicated they are aware of IT security breaches occurring within their company over the last 12 months. Just under two-thirds (62%) claim they were unaware of any security breach occurring in the same timeframe, but worryingly, one in seven (14%) note that they were unsure whether a breach had occurred in their business or not.
Businesses are struggling to adapt to the often changing security landscape they inhabit. Employee adoption of new technologies means IT departments are often battling on many fronts. However, the ‘inside versus outside’ attitude towards data protection is fast becoming an out-dated approach, with the ‘enemy’, in reality, often unknown and invisible to many organisations.
Confidence in managing security threats in this complex environment is measured, as businesses slowly come to grips with the new landscape. Only 23% (rising to 34% amongst companies with 5000+ employees) see themselves as ‘security savvy’ - highly confident that their organisation has the necessary resources, skills and technologies in place to manage all internal and external security threats (see Figure. 5). Over half are ‘security seekers’ who are quite confident they have the resources in place, but could do more, whereas 18% admit to being security shy and not confident of their data security.
Despite a security strategy driven by a need to protect from external threats, businesses acknowledge that breaches are more likely to occur within their own territory. Indeed, companies believe that security breaches are more likely to originate from their own employees (44%, rising to 50% amongst to companies with 5000+ employees) rather than from outside their organisation (42%) (see Figure. 6).
Further still, the ‘extended enterprise’ in which a company operates in presents further challenges. Both ex-employees (20%) and third parties (21%), be it customers, suppliers or business partners provide a further threat to security. As networks become increasingly open, yet dispersed, businesses run the risk of exposing themselves to further dangers.
Security decision makers must look to manage this changing security environment carefully. If they continue to only look outside to potential dangers, they will fail to see the growing threats which are developing within their own extended network.
| 8 | Clearswift The Enemy Within www.clearswift.com
Figure 7: Organisational response to BYOD trend Figure 8: Internal security threats
11%
42%
36%
11%
Figure 7
Don’t know
Positive acceptance /proactively managing this trend
Resistance /blocking access where possible
Denial /not proactively dealing with it
Figure 8
Directly / indirectly causedsecurity breaches
Is a concern Not a concernat this time
47% 15%38%
56%27% 17%
52%28% 19%
52%25% 23%
49%25% 25%
49%25% 26%
48%25% 27%
49%21% 29%
53%17% 29%
47%23% 30%
45%24% 31%
48%21% 31%
50%15% 35%
46%16% 38%
50%12% 38%
Introduction of viruses /malware via personal devices
Employee use of USB /storage devices to save company data
Employees sending work email viapersonal email accounts
Lack of awareness / understandingof IT security threats
Lost / stolen devicesthat are unprotected
Lack of / unclear ITsecurity policy
Lack of communication betweenIT and employees
Inappropriately configured /unlicensed technology
Personal devicesaccessing company network
Use of cloud apps(outside jurisdiction of IT dept)
Employee technology free-styling
Employee fraud
Old / outdated processes
Employees stealing data
Inadvertent human error
Identifying “the enemy within”The explosion in the use of new technologies, be it cloud computing or employees bringing their own devices to work, presents a significant dilemma for today’s businesses. Do they choose to reject such trends, in fear of the threats which they may cause, or accept them and actively manage them together? In practice, businesses are split in how to best manage the rise in such trends. When looking at managing new technologies such as BYOD, 42% say they are positively accepting it and looking to proactively manage it wherever possible (see Figure. 7). Comparatively, 36% are resisting it or looking to block assess wherever possible, with a further 11% in denial that such a trend is occurring.
The reality for businesses however, whether they accept or reject such trends, is that employees will continue to embrace their own devices irrespective of what the company line is. As such, 61% believe that users will continue to use their own devices on the network whether it is sanctioned or not.
This creates a challenge for organisations. If they are actively resisting the use of personal devices and applications for work, or even denying its existence, then employees may take the use of their devices ‘underground’. With no visibility of what is going on, businesses will be unable to regulate the use of data in their business. Inevitably, security threats and breaches will escalate as employees, unaware of the dangers, share and manage the use of data unsafely.
Rather than security breaches originating from a ‘malicious enemy’ from within the business, in reality, threats originate from employee ignorance and lack of awareness. Indeed, inadvertent human error (85%), lack of awareness of IT security awareness (83%) and introduction of viruses via personal devices (80%) are the key internal security concerns (see Figure. 8). Further still, 38% of organisations believe they have experienced a security breach either directly or indirectly as a result from inadvertent human error.
The real enemy within is a lack of transparency within the business. Clear and open guidelines provide the first step to preventing security breaches, and are likely to be more cost effective than investing in anti-fraud tools. Given employees’ propensity to use their own devices at work, regardless of whether allowed or not, organisations are more likely to succeed by working together rather ruling with an iron fist.
www.clearswift.com Clearswift The Enemy Within | 9 |
Moving forwardWith internal security threats likely to originate from lack of awareness, both knowledge and education form the fundamental basis of data protection. Educating end users about the threats and dangers (57%) and understanding the location of company critical information (52%) are seen to be both critical in managing IT security threats in the next two years (see Figure. 9). Furthermore, using more advanced security tools (52%), and creating a clearer and more enforceable IT security policy (46%) are also felt to be “very important” in managing these threats.
Businesses may have the rules in place, but the need is to ensure that guidelines are communicated both effectively and regularly. 81% claim to have a detailed IT security policy that is shared with all employees, with a further 69% reviewing their data privacy guidelines in the last 12 months.
Such is the importance of better education in the workplace that 70% say they regularly train or make their staff aware of IT security policy, rising to 78% amongst those organisations who actively manage the BYOD trend (see Figure. 10). As the extended enterprise grows and becomes more diverse and dispersed, the need for greater clarity about the rules becomes even greater. 80% require third parties to comply with their information and security policies. With the right structure in place, employees, suppliers, partners and customers can work together both freely and safely.
Yet the duty to educate and uphold security should be the responsibility of the company as a whole. IT departments will indeed manage data protection on a day-to-day basis, but the collective vision of a safer environment should be shared by every single member of the business. Indeed, the vast majority (90%) believe collaboration between IT and the business is the best way to manage IT security threats. Only by installing the pillars of trust and understanding, can companies move forward and create a safer working environment.
Businesses must look to become more transparent if they wish to control the rising dangers. 83% think all companies should be more forthcoming about reporting major security breaches or attempts. Only by becoming clearer over the origins of data breaches can companies start to tackle increased complexity. However, the right legislation needs to be in place, and enforced, to ensure companies are complying with data security. As it stands, less than half (47%) feel the Australian government has an appropriate strategy in place to deal with the ever changing landscape.
Figure 9: Important aspects in managing potential data / IT security threats in the next two years
Figure 10: Moving forward – the role of education and collaboration
Figure 9
Education of end usersof threats / dangers
Use of more advanced /intelligent IT security tools
Very important Quite important Not particularlyimportant
Don’t know
38% 4% 2%
4% 2%
57%
37%52%
41%52%
Clearer and moreenforceable security policy
Greater control overemployee devices
47%46%
43%34%
Understanding the location ofcompany critical information 7% 3%
20% 3%
5% 1%
Believe collaboration between ITand the business is the best way
to manage IT security threats
Figure 10
Say they regularly train ormake their staff aware of
IT security policy
Feel their government has anappropriate strategy to deal with
the ever changing security landscape
90%
70% 47%
| 10 | Clearswift The Enemy Within www.clearswift.com
ConclusionImproving and maintaining data security has become an increasing priority in recent years. With the implications of a security breach only too well known amongst organisations, the need to protect sensitive data has risen to become a significant business objective. However, storm clouds are brewing over the security landscape, bringing with it an unprecedented level of complexity. Cloud computing, BYOD and big data are only a few examples of trends which pose serious questions to companies about their data protection.
Worryingly, businesses’ attitude towards data security is becoming outdated. Data security policies are primarily driven by a need to protect threats from outside the business and to comply with regulation. Whilst this is justified, companies must give an equal weight to the emerging threat to their business, the “enemy within”. The rise in the use of personal devices and applications in the workplace, combined with an ever growing ‘extended enterprise’, presents a complicated challenge for decision makers. More and more breaches appear to be occurring within the company’s own territory. Indeed, businesses acknowledge that security breaches are more likely to come from their own employees, rather than from people outside the organisation.
However, the true enemy is ignorance and lack of understanding itself. Internal security breaches are most likely to be the product of either inadvertent employee error or lack of awareness of security protocol. Businesses can choose to either reject the upsurge in tech trends or positively accept them. By choosing to block their use or simply ignoring their existence, key decision makers run the risk of allowing their data to become unregulated, unmanaged and unsafe.
Rather than installing ‘top-down’ policies, businesses must look to educate and make users aware of IT security guidelines. By instilling a level of trust within the organisation, combined with the appropriate security tools and policy, businesses can look to effectively manage internal threats going forward.
Next year proves to be a big year for Australian businesses. Clarity and transparency are two virtues which must be upheld if preventing security breaches is to be a true success. Whilst legislation is continually debated by past and present governments, organisations can look to take the first steps to ensuring their own privacy and security is sustained.
www.clearswift.com Clearswift The Enemy Within | 11 |
About ClearswiftClearswift is an information security company, trusted by thousands of clients worldwide, to provide adaptive cyber solutions that enable their organizations to secure business critical data from internal and external threats.
Built on an innovative Deep Content Inspection engine managed and controlled by a fully integrated policy center, Clearswift’s solutions support a comprehensive Information Governance strategy resulting in data being managed and protected effortlessly.
As a global organization, Clearswift operates out of offices in Europe, Australia, Japan and the United States.
Clearswift has a partner network of more than 900 resellers across the globe.
More information is available at www.clearswift.com
www.clearswift.com
UK - International HQ
Clearswift Ltd1310 WatersideArlington Business ParkThealeReadingBerkshireRG7 4SA Tel : +44 (0) 118 903 8903Fax : +44 (0) 118 903 9000Sales: +44 (0) 118 903 8700Technical Support: +44 (0) 118 903 8200 Email: [email protected]
Australia
Clearswift (Asia/Pacific) Pty Ltd5th Floor165 Walker StreetNorth SydneyNew South Wales, 2060AUSTRALIA Tel: +61 2 9424 1200Technical Support: +61 2 9424 1210 Email: [email protected]
Germany
Clearswift GmbHLandsberger Straße 302D-80 687 MunichGermany Tel: +49 (0)89 904 05 206 Technical Support: +49 (0)800 1800556Email: [email protected]
Japan
Clearswift K.KShinjuku Park Tower N30th Floor3-7-1 Nishi-ShinjukuTokyo 163-1030Japan Tel: +81 (3)5326 3470Technical Support: 0066 33 812 501Email: [email protected]
United States
Clearswift Corporation309 Fellowship Road, Suite 200Mount Laurel, NJ 08054United States Tel: +1 856-359-2360 Tel (Toll Free): +1 888-937-7938 Technical Support: +1 856 359 2170 Email: [email protected]
