Enterprise leadership has buried its head in the sand regarding the risks of ungoverned file sharing practices among their employees, according to research conducted by the Ponemon Institute and sponsored by enterprise file sharing and collaboration leader Intralinks.
Based on a survey administered to 1,100 IT professionals across three countries (U.S., U.K. and Germany), half of these leaders said they are themselves part of the problem, admitting they engage in fundamentally poor behavior, and have failed to set up corporate policies or assign accountability for data loss.
Just under half (49 percent) of respondents do not agree or are unsure they have clear visibility into employees’ use of file sharing or file sync and share applications.
Meanwhile, 61 percent of respondents confessed that they have "often or frequently" shared files through unencrypted email accounts, failed to delete confidential documents as required by policies, accidentally forwarded files or documents to unauthorized individuals, or used personal file-sharing/file sync-and-share apps in the workplace.
Less than half (46 percent) of respondents say the chief security officer (CSO) and chief information officer (CIO) have ultimate authority and responsibility for securing document collaboration and file-sharing activities.
"Our research suggests that the relationship between the CSO and the CIO can be very tense. CIO’s are mainly focused on IT productivity. From their perspective, dealing with security requirements is just a necessary evil," Larry Ponemon told eWEEK. "On the other hand, CSOs--and CISOs--are mainly concerned with the security of data and IT infrastructure. At times, the push for greater security creates operational problems for CIOs, especially when security requirements are viewed as diminishing IT efficiency."
More than 26 percent of applications are being used by various business functions without the IT department’s approval or knowledge.
Half of respondents said they do not agree or are unsure their organizations have the ability to manage and control user access to sensitive documents and how they are shared.
The majority of the organizations represented in the research have policies for managing and controlling data sharing, but often these policies are not being communicated to employees--more than half of respondents (52 percent) say their organizations have a clear policy for the adoption and use of cloud-based file sharing/file sync-and-share applications.
But less than half (46 percent) says their organizations have yearly training programs on the risks of data loss and theft. In fact, 31 percent of respondents say they are unsure if such training exists.
Only 9 percent of respondents said their organizations are certified and fully compliant today with ISO 2700--the international standard for process-based security.
Meanwhile, 50 percent of respondents say that more than half of their organization’s documents containing sensitive or confidential information are exchanged with third parties.
The survey also reveled almost one-third of respondents said more than half of employees in their organizations regularly share files outside the company or beyond the firewall. Sixteen percent could not even determine if that had happened.
In addition, a number of unsafe practices are happening frequently or often in the majority of organizations, including receiving files and documents not intended for the recipient (60 percent) and ignoring policies and not deleting confidential documents or files (61 percent).
The survey found 61 percent accidentally forwards files or documents to individuals not authorized to receive them and 62 percent accidentally sent files or documents to unauthorized individuals outside the organization.
Fifty-four percent of respondents say the organization’s IT department is involved in the adoption of new technologies for users such as cloud, mobile and big data analytics.
However, their ability to control the risk of unsecured file sharing has been diminished by the increasing influence of business units in how file sharing and collaboration applications are used.
While 46 percent of respondents say the CISO and CIO have ultimate authority and responsibility for securing document collaboration and file-sharing activities, 21 percent say no one function has ultimate authority.