Although viruses and other malware apps still plague businesses, it is the poor habits of a company's employees that cause the most problems for corporate security staff. We all know that employees do dumb things and will continue to do so, no matter what we, as IT, try to do about it. There's no amount of lockdown that can prevent stupid*. A combination of training and strict policy are the only hopes for preventing chaos.
A recent report released by Globascape "reveals that employees rely on unsecured, consumer-grade tools to send sensitive corporate documents".
The survey consisted of responses from more than 500 professionals and yielded some interesting and disturbing results:
- 63% of employees use remote storage devices to transfer confidential work files
- 45% of employees use consumer sites like DropBox and Box.net
- 30% of employees use cloud storage services
- >60% of employees use personal email to transfer work info
- Nearly 75% think IT approves of this behavior
Almost one-third of the employees who use their personal email to transfer work information, know that their email accounts have been hacked.
Some of you who read this will assume that BYOD is to blame here but that isn't the case at all. This survey didn't separate out those respondents with BYOD programs in place, so there's probably a mix of the two represented here. So no direct inferences can be made from these data about BYOD versus corporate-owned devices.
And I'm not sure that it matters for most users whether they're using corporate-owned devices or personal ones. If the app or service is available to them, they'll use it to work around corporate road blocks. In most cases, users are not using these services maliciously or with ill intent. They're simply using apps, services, and sites familiar to them.
"Millions of employees are actively using consumer-grade tools, like personal email, social media, and file sharing sites, to move confidential work files every day," said James Bindseil, president and CEO of Globalscape, a developer of secure information exchange solutions. "While the intent is typically harmless, these actions can have serious security and compliance ramifications."
And some enlightening file sharing statistics:
- 48 percent of employees said that their companies have policies for sending sensitive files
- 30 percent said that their companies don’t have policies in place
- 22 percent were unsure whether a policy existed
"The information-sharing needs of today's workforce are rapidly evolving, and most organizations are failing to keep up," says Bindseil. "Employees need and expect instant access to information, and the ability to send and store files at the press of a button. When internal technology and tools come up short, employees will find a workaround."
While there are many reasons that employees find alternatives to their company-provided file-transfer tools, the biggest drivers are simplicity and ease of use. According to Globalscape's survey:
- 52 percent said it's more convenient to use a tool that they know well
- 33 percent reported that recipients have had trouble accessing files sent through the company system
- 18 percent said they use alternatives because the company's tool does not offer mobile access
"Speed, simplicity, and mobile access are critical," said Bindseil. "If enterprises have any hope of managing and securing the sensitive data leaving their organization, they need to provide solutions that easily integrate into the daily routines of their employees."
In my opinion, it's difficult to monitor every employee's actions regarding file sharing, personal email, transfer of corporate documents via USB sticks, or writeable DVDs, or cloud services. And I believe that the problem has less to do with who owns the device and more about who's using it. It's a well-known fact that employees are the weakest security link. It is that single reason that phishing attacks and social engineering are so effective in circumventing multi-million dollar security initiatives.
The answer is training and well written, explicit policies regarding these services and actions. It's not enough to simply send out a memo once a year regarding employee behavior. Employees must be taught how to properly transfer files from one corporate location to another without using personal cloud services, to use corporate email services without compromising data, to deflect phishing and social engineering attacks, and to not transfer sensitive data, or any corporate data, via USB sticks or SD cards.
It isn't enough to say, "It's in the manual". Employees need training—training on corporate approved methods and on the policies regarding such activities. If no training exists, it's time to implement it. If no policies exist, it's time to write them.
I further suggest that companies discuss the needs of their employees with the employees and perhaps purchase tools and services that remove the need for circumventing corporate standards and security. If you believe that the numbers presented here are skewed or not applicable to your employees, conduct your own anonymous survey with your employees to find out for sure.
What do you think of the survey results? Do you know of coworkers who use these "forbidden" services or tools? Do you, yourself, use such services or tools? Talk back and let me know.
*A Ron White reference for fans ("You can't fix stupid").