Employees are both the best defense against company data loss and the biggest cause of the problem, according to a new report from Egress.

In the second global insider data breach survey, IT leaders found that 78% think employees have put data at risk accidentally in the past 12 months and 75% believe employees put data at risk intentionally.

At the same time, 58% of managers said employee reporting is more likely than any breach detection system to alert them to an insider data breach.

About half of IT leaders said they are using anti-virus software to combat phishing attacks, 48% are using email encryption, and 47% provide secure collaboration tools.

SEE: How to get users on board with essential security measures (free PDF)

Egress CEO Tony Pepper said he thinks this shows that IT leaders are resigned to the inevitability of insider breaches and don’t have adequate risk management in place.

“Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable,” he said.

The survey also found that senior level employees were most likely to intentionally share data against company policy in the past year, with 78% compared with just 10% of administrative staff.

Directors are the most likely to take data with them to a new job – 68% did so when they changed jobs, compared with the overall average of 46%.

The second annual survey looks at the causes, frequency and implications of internal security breach incidents and the perspectives of IT leaders and employees about risk, responsibility and ownership.

Who owns the data?

In addition to asking managers about data security, Egress also asked employees about the topic. The employee-facing research found 29% of respondents said they or a colleague had intentionally shared data against company policy in the past year.

When asked about data ownership and responsibility, 41% of the employees surveyed said data belongs to the departments and teams that created the information while 61% of directors agreed with this idea. Twenty-two percent said that all employees of a company had rights to the data, not just the people who created it.

“Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe, and this is a toxic combination for data protection efforts,” Pepper said.

The report authors also suggest that the shift to more remote work may have a psychological impact on ideas of data ownership and cause workers to develop a more proprietary attitude to data they develop.

Even though some employees are unclear on who owns company data, 46% said they took data with them when they left to work for a new company, a clear violation of policy.

What data is most at risk?

IT leaders have to understand what data is at risk before defining a strategy to protect it from insider breaches. Managers in the survey said that employee data and intellectual property were most vulnerable to both intentional and unintentional breaches.

Phishing is the biggest cause for unintentional breaches among managers—-61% of directors said they had fallen for this trick–while 44% of administrative workers said they had mistakenly sent data to the wrong person.

Managers are much more worried about the financial impact of a breach in this year’s survey with 41% listing that as the biggest risk of an internal breach compared to 27% in last year’s survey. Managers are slightly less worried about reputational damage with 31% naming this as the biggest risk of a breach, compared to 38% last year.

Survey methodology

Research organization Opinion Matters conducted the survey in January 2020, reaching 500 IT leaders and 5,000 employees in the UK, US, Belgium, the Netherlands, and Luxembourg.

A survey about insider data breaches found that employees were just as likely to share data accidentally as they were to break company policy on purpose.
Image: Egress