THE Threat Within How Email & Employees Can Impact Your Cybersecurity Efforts
An investigation into the behaviors of employees who explicitly disregard their company and industry data policies.
In today’s business landscape, quickly and easily sharing information (both within the company and beyond) is critical for employee success. Yet, despite
your company’s best efforts to keep information secure, 60% of
workers admit to knowingly violating security policies. Even with
significant training, availability of secure tools, the looming threat
of enormous government fines, and the severe impact the loss of
sensitive data can have on customers and companies, many
employees continue to bypass security policies and put their
organizations at considerable risk. With IT security spending reported
to reach $170 billion by 2020, it’s critical for companies to understand
which tools work best for their needs and their employees. This study
delves into the reasons employees choose risk over security and
what might motivate them to stop.
2
Fixing the security problem will mean smarter security investmentsWith an average of 82 hours spent on security policy training per year, and an average
of nearly 80 hours spent training on how to use security tools, companies are increasing
their commitment to security by investing more time, money, and resources to make sure
that confidential data is shared securely. A majority of employees understand their
companies are very concerned with securing sensitive data.
Specifically, in regulated industries like healthcare, an industry where privacy is paramount,
efforts to ensure adequate security are aggressive. This heightened-awareness is reflected
in the respondents having a greater focus on security.
According to the data, 97% of participants in healthcare confirmed their company does
have secure document delivery tools, and 92% of respondents reported they’ve been
trained on how to use them.
3
THE THREAT WITHIN
1.P O I N T
98%of respondents stated their
company cares about data security, and 93% reported their company
proactively invests in keeping data secure. 95%
of respondents reported that their company provides secure
information tools, and 85% revealed their company has
policies about sharing, delivering, and securing data, documents,
and information.
COMPANY COMMITMENT TO DATA SECURITY IN GENERAL
COMPANY COMMITMENT TO DATA SECURITY TOOLS
AND SECURITY
88%of respondents reported their
company trains employees on properly using secure methods of information
sharing and delivery.
COMPANY COMMITMENT TO EMPLOYEE TRAINING
Because employees knowingly break the rules
Unfortunately, convenience leads people to bypass security policies. This was the same no matter the industry, title, or age. While 78% of respondents said they understand and agree with their company’s security policies:
While all age groups within the workforce report significant non-compliance, the reasons differ by age. Specifically, while Generation Y through Baby Boomers simply don’t care about data security compliance, millennials acknowledge laziness. Almost one-in-five (17%) of Millennials reported being too lazy to follow company policies, whereas those over 35 are 26% more likely to use insecure methods when transferring sensitive information. Additionally, while 90% of Generations Y through Boomers understand and agree with their company’s security policies, they are 10% more likely than millennials to ignore them.
Alarmingly, workers in highly-regulated industries admit to breaking security rules. Specifically, respondents who work in healthcare:
• 87% of healthcare workers reported sharing confidential information using regular email even though they understand that it is not HIPAA compliant
• 10% admit to not following any security policies when sharing information
4
THE THREAT WITHIN
2.P O I N T
Admit to bypassing policies when sharing data internally
Admit to breaking security guidelines when sharing outside the company
74% 60%
5
Email is not secure, and they don’t care
Although nearly all reported having access to and solid training on secure communication tools (sync and share services, clouds and/or drives, and secure file transfer), nearly 75% of employees admitted to sending sensitive information via email. And actually reported unencrypted email as their most commonly used tool for sharing sensitive information both inside and outside of their organization. It isn’t because they don’t know better, 40% admitted to knowing email isn’t secure but use it anyway. And it’s not getting better – 88% of respondents said they were sending as much or more sensitive data through risky methods today than ever before.
THE THREAT WITHIN
3.P O I N T
Why are they choosing email?
Users specifically cite email integration (35%) along with a zero-time learning curve (64%) as key requirements to driving compliance with corporate security policies. This would indicate that organizations should examine applications that offer streamlined, yet secure integrations with their enterprise email system. Users reported that using security tools took an average of 8.5 minutes more per transaction. If an employee sends just two secure messages per day, this translates into 8+ hours per month – an entire day – time that an employee and the company would rather be used more productively.
TYPES OF INFORMATION
SHARED INTERNALLY SHARED EXTERNALLY
Customer data 62% 50%
Strategy documents and presentations 46% 35%
Regulated data such as customer/client medical or financial data 43% 49%
Company business and financial data 45% NA
Intellectual property like source code and patent filing NA 29%
In closing: How to mitigate risk
Despite the growing use of unencrypted email to send sensitive and confidential documents, there is good news. Employees are willing to adapt if companies make simple adjustments to their secure delivery solutions and policies. Respondents highlighted two key features that would encourage them to select a secure method:
• 75% of survey respondents said that having a confirmation receipt would make a major difference in their choices
• 77% said that they would use a secure tool if they could track who has access to a document
The simplicity and familiarity of email make it the easy and faster choice for most employees, despite the fact it remains insecure and against company policy. This can change by making sure your secure messaging tools have the following attributes:
• Simplicity and ease of use
• Email integration or similar intuitive interface
• Key features like receipt confirmation and ability to track who and when someone accessed the secure message
With the additional overhead currently spent on sending information securely, the total time can add up significantly, greatly impacting productivity. Multiply this by the number of employees and you have some compelling reasons to make sure your secure messaging solution is as seamless and quick to use as possible.
Choosing intuitive file sharing tools that do not require significant overhead and your employees will actually use helps eliminate many of the risks created by rushed employees defaulting to using email. Keep this in mind when selecting the right tool – not only to protect your information properly but also to ensure your employees are complying with your security policies.
6
THE THREAT WITHIN
The survey polled more than 600 U.S. employees whose companies have data security policies and tools in place, and need to share sensitive data. The survey was conducted at a 95% confidence level and +/-4% margin of error. Participants included associate level to C-Suite executives in 20 industries, including healthcare, financial services, and information technology. The survey measured the behaviors and motivations of complying with company data security policies and the use of secure tools to share sensitive data, information, and documents.
Biscom Transit
At Biscom, we believe companies should not have to sacrifice usability for security when sharing
confidential files or emails. With expectations from your customers and clients to keep their
information secure, as well as compliance requirements like GDPR, companies need to guarantee
the security and protection of their sensitive data.
Biscom Transit is a new cloud-based secure file sharing and email solution that provides businesses
with a way to send documents, large files, and email messages as easily as email but with embedded
encryption and activity reports that enable you to meet your security and compliance requirements.
Designed with the customer experience in mind, users can share confidential files and information
securely but without complications. Biscom Transit supports the requirements for HIPAA, SOX, and
GDPR compliance. Learn more at www.biscomtransit.com.
ABOUT BISCOM
Biscom is the leading provider of document delivery solutions for highly regulated industries including healthcare, government, legal, and financial services. The company’s secure message and large file transfer solutions help some of the world’s largest organizations keep documents secure, companies compliant, and employees collaborating. Dedicated to providing superior support, Biscom has been recognized for outstanding customer service from the Stevie Awards and SC Magazine. Biscom uses its thirty years of experience to innovate new ways for companies to securely transmit and share information, keeping confidential data protected.
For more information about Biscom’s solutions, please visit Biscom.com
or email [email protected].
www.biscom.com
© All rights reserved. Biscom and all Biscom product names are trademarks or registered trademarks of Biscom Inc. All other company and product names are trademarks or registered trademarks of their respective companies.