Posted June 25, 2020 by Mark Perna
Can working from home widen the already-startling holes in company security? Mark’s article, “Data Loss Has Companies Worried—But Not Worried Enough,” published at Forbes.com on June 17, 2020.
Working from home is in the spotlight amid the COVID-19 pandemic. And while it offers many benefits to employers and workers alike, new research is uncovering a dark side when it comes to company security. Tessian’s The State of DLP 2020 reveals that effectively half of all employees (48%) are less likely to follow safe data practices when working from home.
Data loss prevention, or DLP, is a growing concern for IT leaders in both the U.S. and UK, says Tessian, with 84% reporting that DLP is more challenging when people are working remotely. Meanwhile, employees cite several reasons for not following security protocols. Topping the list: they’re not working on their usual devices; they feel as though they’re not being watched by their IT team; they’re distracted; and they’re under pressure to get work done quickly.
What’s more, the problem is worse than many companies realize. For example, IT managers estimate that each year, just 720 unauthorized emails are sent within organizations of 1,000+ employees. But Tessian reveals a startlingly higher number, with 27,500 such emails sent annually—or 38 times the amount estimated by IT managers. Additionally, in organizations of 1,000+ employees, around 800 misdirected emails are sent every year—nearly double IT managers’ estimate of 480.
According to Tessian, employees aged 18 to 30 are three times more likely to send misdirected emails than their coworkers aged 51 and over. And while employees aged 31 to 40 are generally more careful on email, over half (57%) admit to firing off an email to the wrong person.
Such a relaxed attitude on the part of Gen-Z and Millennial workers may stem from having grown up in an “always-on” culture, where as digital natives, they’re fully accustomed to instant, unfiltered forms of communication. And this, cautions Tessian, is especially concerning because Millennials in particular represent the largest share of the labor market among any single generation.
If employees simply knew more about safe, secure practices for handling company data, DLP would improve, right?
While more training seems like a logical remedy, employees who receive such training once every 1–3 months are almost twice as likely to send company data to personal email accounts as employees who receive training just once a year.
Likewise, while highly regulated industries, such as healthcare and financial services, tend to conduct security training more frequently than others, their incidence of unauthorized data being downloaded, saved or sent to personal email by departing employees is among the highest. Moreover, roughly half the employees in these especially data-sensitive fields admit they’ve misdirected emails.
And perhaps most interesting of all is that in organizations that conduct security training just once a year or even less frequently, the percentage of employees sending unauthorized emails falls to 43%.
For many employees, the ability to work from home indefinitely should motivate them to follow company security policies—even if they do add an extra step. But what can’t be overlooked here is that the majority of remote employees who are skirting security protocols do so simply because they are feeling the pressure to perform. They’re trying to get their work done as quickly and efficiently as possible. By and large, these aren’t egregious behaviors.
This puts the onus on IT teams to create a path of least resistance that doesn’t impede or unduly burden people as they work from home. In providing a simple, secure work process—one that’s as easy as any shortcut—employees will almost certainly follow it.
For starters, soliciting insights from employees who admit to taking shortcuts is a surefire way to uncover data vulnerabilities. Such info—which could even be sourced anonymously—would likely reveal the means or workarounds that employees are using, why they are using them and what would work better for them. All to say, working with employees, not against them, is the best way forward as companies seek to plug security gaps.
Creating a secure path of least resistance is a challenge, but one that companies must meet as the remote workforce redefines the American workplace.