Global cyber security company Forcepoint has today unveiled research showing that 35% of employees across the UK, France, Germany and Italy admit to have been involved in a security breach, presenting regional CISOs with a significant challenge when it comes to protecting company data.
Especially when considering the forthcoming European General Data Protection Regulation. The new legislation will not only make it a requirement to notify of a breach within 72-hours, but also levy strict new penalties of up to 4% of worldwide annual turnover for serious failings.
While high profile incidents and reports have helped to shine a light on the insider threat security problems facing European CISOs, there has been little in the way of comprehensive Europe-wide research investigating the issue in greater detail.
>See also: 3 things every CISO should know
This is why Forcepoint commissioned an independent survey of over 4,000 office workers across the UK, France, Germany and Italy – to better understand attitudes toward data protection and the number of insider threats, malicious and accidental, facing organisations across these territories.
The findings are the result of both intentional and accidental employee activity, with malicious intent, staff negligence, limited security awareness and ineffective corporate policies all emerging as reasons for security breaches. In particular, the research reveals worrying levels of risky behaviour from employees within enterprises.
According to the survey, 14% of employees would jeopardise their job by selling work log-ins to an outsider, and 40% of those would do so for less than £200 – 55% of surveyed employees in the UK would part with credentials for that amount.
Just under a third (29%) of survey respondents have purposefully sent unauthorised information to a third party, while 15% of European staff have taken business critical information with them from one job to another. 59% planned to use it in their next job.
Yet the results also showed a severe lack of employee awareness of how their behaviour increases the data security risks facing an organisation.
>See also: The ever-evolving role of the CISO
Nearly half (43%) of European employees do not believe their organisation is currently vulnerable to a security threat caused by insiders, while 32% are either unaware of or are unsure about the consequences of a data breach.
Nearly a quarter (22%) either do not believe data breaches incur a cost to their employers, or are unsure; with France and the UK representing the nations with the lowest levels of awareness of these costs and consequences.
·39% of European employees report to have received no data protection training and over a quarter (27%) of organisations either lack security policies to prevent data loss or fail to enforce them.
The survey also uncovers some interesting trends across Europe. Italian respondents (45%) are most likely to be involved in a security breach, compared to just 27% of UK respondents.
French workers (36%), on the other hand, are most likely to feel that their organisation is vulnerable to security threats from hijacked systems, rogue insiders, stolen credentials or negligent end users, more than those in Italy (33%) and the UK (22%), and more than twice as likely as German employees (15%).
The cloud, the survey revealed, represents an area of significant uncertainty when it comes to security. In the UK, 55% aren’t sure if their data is more or less secure in the cloud and 38% do not consider security before uploading files.
>See also: The fight against cyber crime requires innovative defence
France was not far behind at 52% and 33% respectively, with lower but consistently significant statistics generated in Italy (33% and 17% respectively) and Germany (33% and 21% respectively);
The need for data protection training is widespread. Nearly half (47%) of French employees have never received training, with the figure at 41% in the UK, 37% in Germany and 31% in Italy.
Mike Smart, product and solutions director at Forcepoint commented: “Research has consistently shown that breaches caused by employees are among the most damaging around in terms of their financial and reputational impact. Organisations that ignore the potential security risks that can be caused by employees and other insiders miss an opportunity to strengthen their security posture and protect their companies more broadly.”