SC Magazine's latest survey, on the issue of securing data on the move, shows email in fine fettle and raises concerns about how confidential information is shared. We analyse the key findings from the poll.
In our latest survey, produced in association with Egress, we focused on the urgent issue of securing data on the move and asked how businesses are sharing information. With more and more enterprises moving to mobile-centred working, we wanted to find out how ready CISOs really are for this fundamental shift.
The first revelation from the survey was just how often confidential information was being shared on a daily basis: some 40 per cent of respondents were doing just that – and that is confidential information, remember. If that percentage were common across all businesses, it would seem imperative that systems were put in place to protect that data.
Of course, there is a caveat: how do you define confidential information in the first place? One of the teachings current in information security is the importance of auditing data to classify, according to the business definition, that which is confidential.
Despite current predictions of the death of corporate email, thanks to all those “Generation Y'ers” (those under the age of 18) bypassing email in favour of social media, according to our survey email is by far and away (68 per cent) the most used transfer method for sharing data, confidential or not.
It seems, then, that it would be foolish to predict that email will no longer be the dominant form of data transfer in five to ten years' time. Meanwhile, although the dreaded USB stick remains popular, with all its attendant risks, file transfer services such as FTP are increasingly popular (37 per cent). And that figure rises to 50 per cent when it comes to sharing files too big for corporate email systems. The rise of tablet apps such as Dropbox that make FTP sharing simple has no doubt contributed to this.
A key finding of the survey is the response to the question: When sharing information, do you know for certain exactly who, when and where that information is being accessed? It's encouraging that nearly 60 per cent answered in the affirmative, but that still leaves 40 per cent who were unsure. It is unlikely that the CEO of your business would be assured to learn that their CIO or CISO is part of that 40 per cent.
Of course, it's not just securing data at issue here, but also enabling employees and users to have the tools and resources to share that data when necessary. Here the survey is split almost 50/50 in response to the question: Have you or your staff ever wanted to share confidential data securely but found existing processes too restrictive, resulting in information being sent without appropriate protection? It would seem that a lot of businesses are making it hard for employees to share confidential information, which carries the risk of them bypassing the secure channels altogether and hoping for the best – never a good idea.
Another response related to this shows that some 67 per cent think such systems are often “too complicated for sender and recipient”.
When asked whether their staff understood the implications of a data breach and the fines levied by the Information Commissioner's Office or Financial Services Authority, 62 per cent said they did. This seems a little high and perhaps reflects a certain degree of wishful thinking (or, even, delusion) on the part of respondents. Only nine per cent replied in the negative.
However, an overwhelming 86 per cent cited reputational damage as the primary concern should a data breach happen – and it's hard to argue with that. While an organisation can, and often does, recover from financial damage, reputational damage, especially surrounding the loss of personal data, is far harder to bounce back from. For example, HMRC is still haunted by charges of incompetence following the loss of two highly sensitive CDs five years ago.
Finally, when it comes to methods of protecting data on the move, the results show that our old friends encryption and password protection are overwhelmingly the most popular. The crucial question remains, however: they may deploy these systems, but how effective are they?