May 27, 2021

When Users Don’t Care about Data Security

Christopher Pin

“Users don’t care.”

This is a sentence that I heard recently, and it resonated with me because it is frighteningly accurate: Research has shown that typical business users don’t care about data security. They want to perform their daily tasks or complete projects and will generally do whatever it takes to accomplish that, whether or not it’s good security practice.

According to Gartner, a technology research firm, one laptop is stolen every 53 seconds. Figures have shown that the theft often occurs in offices, public transport, airports, restaurants, and hotels. With laptop theft being such common occurrences in companies and business organizations, it is no surprise that almost half of these thefts have resulted in a data breach.

Compared to hacking a secure network, it is much easier to download information from an unencrypted or unprotected laptop, a reality that a lot of business owners and IT professionals fail to realize. Most companies will secure their office networks with sophisticated software. However, one practice that is often overlooked is controlling how employees secure the information stored on their laptops.

The cost of these lost or stolen devices are estimated to be as much as $50,000, but can be much more significant if sensitive data is accessible on a stolen device. Depending on what is on the laptop, data for as many as tens of thousands of individuals could be at risk, including data on your employees, customers, vendors, contractors, and more. Not to mention the risk that stolen access to this data poses to the corporate network.

New Vulnerabilities with Remote Work

So what are some things an IT organization can put in place to help alleviate some of the burden placed on end users regarding IT security?

First off, let’s look at the work environment as we know it today. This environment is much different than it was prior to COVID, and despite some normalcy returning, it’s unlikely it’ll ever completely return to what we knew before. In today’s world with remote working continuing to boom, there are times employees will not connect to VPNs, or a VPN becomes inaccessible for a variety of reasons. Expecting your end users then to always be connected isn’t a reality.

Because of this, there has been a shift more and more toward users downloading what they need from the corporate network to their local machines (laptops, tablets, phones), then disconnecting from the VPN while they perform a specific task. Once the task progresses, the user will reconnect to the VPN and finalize their work.

This practice is not uncommon at all, yet it poses several risks to an organization. Your most sensitive data could be lost, stolen, intercepted, or even attacked by ransomware. What happens if those employees lose a device? Is your data protected? Do you even know what data was on the device? How would you even go about reporting this breach?

Policies Alone Aren’t Enough

I have been fortunate enough to be included by several companies while they were going about creating or revising their new security, privacy, and best use policies. These policies will help inform and educate your users, but at the end of the day, its really up to each individual to act and take responsibility for what is on their devices.

So, what can IT do to help alleviate or ease the burden on the end user? Enabling agent-based automated data discovery and file classification—as well as enabling your users to manually classify their files—will ensure your agent-based data loss prevention (DLP) and other protections are best informed as to file contents and location.

Understanding what is actually inside of these documents and being able to update the enterprise server each time the device touches the VPN is critical to understanding what data would or could be impacted in the event the device was lost, stolen, or otherwise compromised.

Automatic and Manual Options to Protect

Leveraging PKWARE’s PK Protect suite, we enable your end users to properly tag or classify each and every document they create or download as restricted, public, classified, or any other custom classifications your organization may use. In addition, a back end engine leverages data discovery and policies so that when certain items are detected, even in instances where the item was not classified or tagged the file or was tagged/classified incorrectly, our engine will automatically correct it.

PK Protect also enables your users to safely send and share encrypted files even outside of your organization by leveraging personalized keys to encrypt before send and decrypt on delivery. Discovery capabilities mean that IT organizations can easily understand both what is on all of their endpoints as well as what data resides on their enterprise servers.

Having a well-rounded data awareness program or solution will ensure things like data security, data privacy, and even data governance never go forgotten. It can also ensure that your end users do not feel as though they have to do anything beyond their normal duties, which means that your environment isn’t put at any undue risk of exposure.

Curious how PK Protect can work on your data to make protection easy and intuitive? Request your free personalized demo now.

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024