TechRepublic's Dan Patterson spoke with Christy Wyatt, CEO of Dtex Systems, on the cavalier attitude many employees have regarding data breaches, despite most being aware of the inevitable dangers.
Dan Patterson: A new report by Dtex System indicates that one-third of government employees believe they are more likely to be struck by lightning than have their organization's data compromised. That's terrifying. Christy, let's start with the report itself. How is this conducted and what were some of the findings?
Christy Wyatt: We partnered with a third party research firm to go and conduct the survey, and the data was actually really interesting. The first and foremost, I would say, employees recognized their vulnerability. They recognized the sensitivity of the data they were accessing, but they also acknowledged that there was an inevitability that they would be compromised and hackers would get in. That said, they had an incredibly high level of confidence in IT's ability to protect them and the security of the organization. So, the one-third of the belief they were more likely to be struck by lightning, it's not that they don't believe that they're not targeted or that they're not going to fall prey, but they believe that somebody will cover them essentially.
Patterson: How do we then break down some of the walls that exist between IT and other departments, and help employees realize that not only are they susceptible to risk, but that they are perhaps responsible for keeping their organizations safe?
Wyatt: That is actually the biggest gap in understanding that we found in the research. Despite understanding their vulnerability and having confidence in the organization, there was a significant lack of personal responsibility. So, even when employees know that their own behavior is not aligned with what secure practices would look like, they're not choosing to do the right things and they're not being given the right tools in some cases. They still believe that somebody else will have their back. Our data, at Dtex, shows that, and lots of third-party data actually shows that a significant number of breaches, 60-70% actually involve human behavior on the inside, either negligence or maliciousness on the inside.
SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)
So, this gap is actually pretty significant. They assume that even when they're behaving in a way that's not aligned with keeping the data secure, that it's somebody else's responsibility to cover them. And they actually feel no sense of personal responsibility, or at least a significant number of the responses, more than half actually, felt like they had no personal liability for what happens with that data.
Patterson: I know that the report covered government employees. Does this differ between enterprise organizations and perhaps smaller companies, say SMBs or startups? Or is this across all organizations?
Wyatt: I think it is different. I think the first place where it would be different is in the sense of vulnerability. We talked to a lot of commercial organizations who actually don't feel that same sense of vulnerability. They feel like they don't have data that somebody is trying to attack. They're not going to fall prey to nation-state attacks. There aren't people who are looking for them, or they're not working with the crown jewels within the organization, and I think lots of people in the commercial sector believe that their role is not connected to something worth stealing. The number of times we have customers say, "Yeah but my employees don't really have access to stuff that would be, that people are going to spend a lot of money to come after." And what they don't acknowledge is that every organization has data that is even just vaguely embarrassing, if not extremely damaging to their organization. So, every single individual plays a role in securing the company.
Patterson: What can managers or the C-level do to help employees understand the imperative of cybersecurity across all departments?
Wyatt: I think transparency is something that we are big fans of, and that we promote a lot across our customer base. Employees don't often understand how bad actors get in. They don't understand that it's inadvertently typing the wrong URL and landing on a site that actually downloads software. There was an interesting post by Brian Krantz this morning that talked about, we all call the "fat finger," where you type in the wrong domain, and how many people actually download malware as a result of going to those places, or getting hit by ads, etc.? They don't understand that if they hit an email, and they connect to a phishing link, that their credentials are stolen and that that bad actor now has that access to come in and root around.
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)
So, closing that gap of understanding is actually really important. One of the things we see really successful organizations do is actually have very open public conversations. Yes, we are instrumenting the organization, so we know where our data's going. And here's what we saw in the last 30 days. We have seen folks who actually stand up at all hands meetings and say, "The last 30 days, here's what we saw," and not in a naming and shaming of a way, but in a real time teachable moment. We had an employee that clicked on something that looked like this, and then this happened. Where folks would look at that and go, "Oh gosh. That could have been me." Or you downloaded pirated software, did online gambling or online shopping at something that you're not supposed to go to on the corporate network. Did you know that when the person sitting next to you did that, they actually brought down a bunch of viruses that actually impacted the rest of the organization? People don't understand that connection between their personal behavior and the impact on enterprise security.
Patterson: Christy Wyatt, Dtex Systems. It's always great to talk to you for these types of insights. I wonder if you could leave us with a forecast or projection into, say, the next 18- or 36-months, not necessarily in cyber threats, but organizational security and things that you see good companies doing that you hope to see other organizations do in the next, say, year to three years?
Wyatt: I think that the cultural shift that we're seeing, and I'm a big fan of, is the public accountability. I think even in the last 24 hours, we saw the Panera breach or the story unfold, if you've been tracking that one. And a company's first response is often suspect, denial. It's almost like the "12 Stages," your anger, denial. It's not us; manager the situation, manage the situation. And almost every time where we see, Equifax, Panera, there's a whole list of them, being very transparent, "Here's what we found," being very proactive, leaning in, taking accountability. These are going to happen. They're going to continue to happen. Technology is fallible. Humans are fallible. So understanding that this is the world we live in, you need to lean in and be proactive and be an aggressive part of the conversation, as opposed to hiding it, stuffing it, burying it, shying away from it.
- 8 steps to take within 48 hours of a data breach (TechRepublic)
- Forrester's top 6 cybersecurity predictions for 2018 (TechRepublic)
- 66% of SMBs would shut down or close if they experienced a data breach (TechRepublic)
- We tested Equifax's data breach checker — and it's basically useless (ZDNet)
- Equifax's big fat fail: How not to handle a data breach (ZDNet)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.