Security

Report: Nearly 3 in 4 Employees Disclose Confidential Data

• By Sri Ravipati
• 04/24/17

There is a lack of understanding in the workplace — across sectors like education and government — regarding data security policies and how confidential data should be shared. Many employees are likely to share confidential information and, more often than not, they do so without proper data security protocols. In most cases, there are no repercussions for the employees sharing this data since they are often unaware of the protocol breach.

These findings come from the “Dell End-User Security Survey,” released last week. Dell commissioned a global survey of 2,608 professionals who handle confidential data at companies with 250 or more employees. Overall, the survey found that “a staggering 72 percent of employees are willing to share sensitive, confidential or regulated company information.”

The most cited reasons for disclosing company information were:

• Employees were directed by management to do so (cited by 43 percent of respondents);
• They shared with a person authorized to receive it (37 percent);
• There was low risk and the benefit was high (23 percent);
• It will help them do their job more effectively (22 percent); and
• It will help the recipient do their job more effectively (13 percent).

How employees deal with company information varies across industries. Employees in financial services, for example, were the most likely to share sensitive, confidential or regulated company information (81 percent of respondents in that industry), followed by employees in education (75 percent), healthcare (68 percent) and federal government (68 percent).    

But the problem doesn’t stop at disclosing information: The survey revealed an abundance of unsafe practices that contribute to the issue. For instance, 45 percent of employees across organizations admit to engaging in unsafe behaviors throughout the workday — like connecting to public WiFi when handling company information (46 percent of respondents), using personal e-mail accounts for work (49 percent) or losing a company-issued device (17 percent). These behaviors are worse in highly regulated organizations: More than half of respondents there (53 percent) use personal e-mail accounts for confidential work and more lose company devices (21 percent). However, employees at small to mid-size organizations are the biggest culprits of these unsafe behaviors.

Furthermore, when employees leave a company, about 35 percent will take company information with them. Among those individuals, 36 percent will take work that they personally worked on, but 16 percent takes work that others have completed. When national origin is factored in, employees from India are the most likely to take company data with them (57 percent), while employees from Japan are the least likely (15 percent), according to the report.

Other key findings from the survey include:

• Another common unsafe practice (which 36 percent of employees said they do) is opening e-mails from unknown senders at work, “potentially opening the door for spear phishing attacks in which a cybercriminal seeks unauthorized access to sensitive information from a specific organization or individual by posing as a trusted source,” the report stated;
• 53 percent of employees at companies that use public cloud services like Dropbox, Google Drive, iCloud and others for sharing or backing up work do so using a personal e-mail account rather than a corporate account; and
• 65 percent of employees feel it is their job to protect confidential data, but only 36 percent feel “very confident” about their ability to do so.

In most circumstances, the employee who disclosed the information made the judgement call independently, or without receiving clearance. The report suggests that to address these data issues, “companies must focus on educating employees as well as enforcing policies and procedures that secure data wherever they go, without hindering productivity.” To this end, Dell recommends companies “create simple, clear policies and ensure they outline steps for handling common scenarios that employees face.” Additionally, security should not limit business initiatives, so there needs to be a balance between security and productivity. This can be achieved “through closer alignment between an organization’s C-Suite and IT teams.” Finally, companies should use security solutions that protect data wherever they go.

View the full report on the Dell site.