Study: Employees Undermine Data Breach Prevention Strategies
Many employees disable the encryption solutions on their laptops, putting their employers at risk for data breaches, according to a study by Absolute Software Corp. and The Ponemon Institute.
The study, “The Human Factor in Laptop Encryption: US Study,” examined the use of encryption on laptops by employees within U.S. corporations. Data revealed that more than half (56 percent) of business (non-information technology) managers polled disable the encryption solution on their laptops. Ninety-two percent of IT security practitioners reported that someone in their organization has had a laptop lost or stolen, and 71 percent reported that it resulted in a data breach. Results indicated that it is employee behavior that undermines data protection efforts in corporate America.
“The data suggests that, because of user behavior, encryption alone is not enough to protect mobile devices and the sensitive data stored on them,” said Dr. Larry Ponemon, chairman and founder of the Institute. “These statistics are especially disconcerting when combined with our recent studies demonstrating that lost or stolen laptops are the No. 1 cause of data loss, with 3 out of 4 companies experiencing a data breach when a laptop has been lost or stolen.”
The report showed that many business managers fail to take precautions to secure their laptops,such as using additional security solutions, and instead are overly dependent on encryption solutions to protect the sensitive data on their laptops.
Other key findings of the study:
- 56 percent of business managers had disengaged their laptop’s encryption;
- Only 45 percent of IT security practitioners reported that their organization was able to prove the contents of missing laptops were encrypted;
- Only 52 percent of business managers – most likely to have access to the most sensitive data (personally identifiable information and/or intellectual property) – have had employer-provided encryption;
- 57 percent of business managers either keep a written record of their encryption password, or share it with others in case they forget it;
- 61 percent of business managers share their passwords, compared to only 4 percent of IT managers; and,
- business managers are much more likely than IT security practitioners to believe encryption makes it unnecessary to use other security measures for laptop protection.
In the event of a theft, companies relying solely on encryption cannot be sure whether all stored data on a laptop has been encrypted, if it has been compromised or even which files have been accessed by thieves, the study said. This can leave corporations with gaping holes in security efforts, and risk exposing the company, employees, customers and consumers to data and identity theft.
To help solve security risks, companies can employ a security solution that can locate a stolen laptop, detect which data has been accessed, and remotely delete sensitive data.
“While encryption technology provides a high-degree of data protection, it must be complemented by additional security layers that are not dependent on the diligent behavior of corporate employees,” said John Livingston, chairman and CEO of Absolute. “If I were tasked with data security, I would … immediately assess my company’s data protection strategy … Corporations may incorrectly assume that since it is company policy to encrypt mobile data, they are not at risk for a data breach. With more than half of business managers disabling their encryption solutions, companies are left incredibly vulnerable to theft and data loss if they do not utilize additional layers of security.”
U.S., U.K., and Canada “The Human Factor in Laptop Encryption” studies are available at www.absolute.com/humanfactor.