Q&A: The State of Data Security, Compliance, and Why Your Company May Be at Risk
DataMotion's CTO, Bob Janacek, discusses a recent survey the company conducted on corporate e-mail and file transfer habits, what's working and what's not, and the dangers of an all too-prevalent approach of rolling the dice when it comes to compliance.
Industry and government regulations require many enterprises to secure sensitive data when transmitting it electronically. Yet, breaches are routinely reported. What are organizations doing to protect data and e-mail as it moves through the Internet? Are they taking advantage of developments in encryption? Are employees following policies or putting their companies at risk?
DataMotion has just released the results of a survey it conducted of IT and business professionals across the U.S. and Canada to gain insight into corporate e-mail and file transfer habits. Respondents held positions in all levels including administrators, managers, directors, and executives. Half were from organizations with more than 500 employees. Industries represented were primarily those with strict regulatory requirements, including healthcare, government, financial services and insurance.
Enterprise Strategies talked to Janacek regarding the survey, the state of data security and compliance, and what enterprises can do to lower their risk.
Enterprise Strategies: According to your survey, 80 percent of respondents said their company has security and compliance policies regarding electronic file transfers, but not even half believe those policies are well understood. What are companies doing to communicate those policies and what should they be doing? From your experience, what is the most effective way to build understanding?
Bob Janacek: On the positive side, it's good to see the majority of companies have security and compliance policies in place. It's an area that has clearly received attention during the past few years. However, as you point out, not only do less than half of respondents feel these policies are fully understood, 84 percent believe employees routinely or occasionally violate them.
That said, there are things that companies need to do when it comes to setting security and compliance policies that work. For instance:
- Keep it simple. Security and compliance aren't in the job description of most employees. As a result, policies covering these areas need to be written in an approachable manner. The more complicated the policy, the more likely someone will say it doesn't apply to them and ignore it.
- A policy needs to "be aware" of what a user does -- it shouldn't force new workflows simply for the sake of security.
- A policy should be consistent regardless of technicalities such as the transport method. For example, don't forbid sensitive information in e-mail but allow it via insecure FTP. Make sure you secure sensitive data in all ways that it is being sent.
- When possible, provide solutions that are built into what the user already does, for example, adding e-mail encryption inside a users' e-mail client. The goal is to minimize introducing complicated procedures.
Was there a particular statistic of the survey that you found troubling?
There were a number, actually. Foremost, when asked to describe their company's approach to compliance, nearly one in three respondents said they take risks because they don't have the resources to be totally compliant. There's simply no excuse for companies to be "rolling the dice."
There's a mistaken and dangerous belief that suffering a data breach is less expensive than the cost of being compliant. What many fail to consider is that the price a company pays goes far beyond fines. In addition, there are investigation expenses, legal fees, and costs associated with new prevention efforts, as well as the severe consequences that come from a tarnished reputation -- including loss of customer trust.
The fact is, this is an unnecessary risk. There are plenty of easy-to-deploy and user-friendly secure data delivery tools available that can eliminate security risk and ensure compliance without breaking the bank, and they certainly beat the fallout from a breach or failed audit.
Aren't these solutions being utilized?
Yes and no. Despite overall growth in usage, the survey showed many enterprises still lack basic tools for secure data delivery. Over one-third of respondents said they did not have the ability to encrypt e-mail. In businesses dealing with sensitive information, that should be routine. Cutting corners here is taking an unnecessary risk.
Furthermore, over half of respondents said they don't have a single tool for securely encrypting sensitive e-mail and transferring files. Enterprises need to keep in mind that the easier it is to use a solution, the more thoroughly it will be adopted.
Finally, enterprises need to do more than just throw tools at the problem. About a third said their company does not monitor the content of outbound e-mail and file attachments for compliance purposes. This needs to be vigorously done and communicated.
Are there other major threats enterprises should be aware of?
Consumer-type file transfer services are a growing concern. Employees may use these services for personal reasons, then figure it'll help them do their job quicker and more effectively. Although well intended, unfortunately, these services often have weak security, compliance, and audit capabilities. As recent headlines have shown, they're unsuitable for the workplace and can lead to data leaks.
In this survey, over one-third of respondents said they have used, or recommended that others use, free consumer-type file transfer services for work purposes. Enterprises need to forbid the use of these in their security and compliance policies.
They should also block the URLs to these services: it's a simple enough solution, yet only 52 percent of respondents said their company has taken this step. In addition, give your users easy-to-use secure file transfer tools so they won't feel the need to turn to insecure consumer-type services to get their job done.
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).