Homepage PR Deadlines newsroom

Ipswitch FT survey reveals staff putting corporate data at risk

Announcement posted by PR Deadlines 17 Oct 2014

By Andrew Henderson, Director, OCG Systems

A frightening number of staff expose corporate data to risk by using their personal email to transfer sensitive files, while a large percentage heighten the risk by uploading company data to cloud-based services.

This sorry picture emerged from a recent survey by Ipswitch File Transfer, which polled over 200 IT leaders and practitioners with security responsibilities about person-to-person file-sharing practices. The results should alarm IT and security professionals.
Findings show that employees are circumventing IT staff by sending confidential and highly sensitive company files via means that are insecure and lack auditability. The results serve as a graphic reminder that when company systems hinder employee productivity, it is both a security risk and bad for business.  There’s no way to sugar coat the survey results:
  • 84 per cent of employees are using personal emails to send sensitive files, often because the file size exceeds corporate mailbox quotas, or because they want to use documents at their next place of employment without the company’s knowledge.
  • 50 per cent of respondents expose company files or data by uploading to a cloud-based service such as Dropbox or YouSendIt.
  • 30 per cent of employees have lost a USB drive containing confidential information.
  • Over half of IT managers lack any visibility into file and data transfer within their organisations.
Many respondents reported feeling pressure from their customers and partners to improve the way they send and receive files. Clearly IT professionals are losing control.  The survey highlighted issues in several areas:

Insecure file sends:  A vast majority (84%) of the respondents send classified or confidential information as email attachments. Of that majority, 72% do this at least once per week, and 52% at least once per day.

Personal Email use:  Nearly half of the respondents use personal email to send company documents and data. And they do so for a variety of reasons:
  • To circumvent file-size limits prescribed for work email  
  • They find it faster and more convenient than using corporate email tools  
  • For use in their next place of employment  
  • They find it difficult to connect to work email when outside of the office 
  • IT does not monitor what they’re sending via personal email
Hackers are constantly on the lookout for ways to steal sensitive data, and they are well aware of the growing use of personal email accounts by corporate staff. It is no surprise that we hear stories such as the one about a group of hackers posting online the user names and passwords to more than 400,000 personal email accounts.

Business users resort to using personal email accounts to overcome file size or connectivity restrictions.  Another common reason is to gain access to documents once they have moved to a new employer.

Business users are sending a clear message with their responses to our study: they have jobs to do. For example they share product information with customers or send purchase orders to partners – and don’t want to deal with the consequences of not getting their work done. They cannot afford the delays or slowdowns associated with jumping through perceived hoops to send out information and files that keep business humming along.

And if IT does not provide the tools staff need to send large and confidential attachments – or if the processes and technologies are too difficult to use – users will take matters into their own hands.

IT professionals should reflect on what business users typically must go through to transfer a file deemed too large to send via corporate email. Often they need to submit to a complex, time-consuming procedure to send the file via a sanctioned file-sharing site. It starts with creating a help ticket indicating the length of time the link should remain active and requesting a user name, password, and IP address.

After 24-48 hours or longer, someone from IT responds, advising that the requested time window is out of the question, that the limit is a day or less. Now the business user is put into a frantic mode, contacting the recipient to make arrangements for sending the file before the link expires.
This manual one-size-fits-all approach might fulfil security requirements and provide corporate visibility into – and enforce policies around – file sharing. But it’s a productivity killer for employees trying to do their jobs.

If the corporate email system limits the size of file attachments, or if IT vetoes their service request, committed and resourceful employees look for workarounds.

The growing prevalence and popularity of file transfer sites and cloud services aimed at consumers is making it easier for business users to sidestep IT restrictions. It is becoming more commonplace for business users to turn to the services they use in their personal lives as a way to get work done. This process is all the more appealing when the services are readily available and free to use. Individual employees are not alone in going rogue: teams and even entire departments discreetly bypass sanctioned means if it results in getting work done quickly and efficiently.

More than half of the Ipswitch survey respondents say they use file transfer sites or cloud services to share or back up work-related files, and 34% say they use them weekly. This behaviour makes it harder for IT to stay in control of sensitive files and data leaving the corporate walls.
When business users aren’t turning to personal email accounts or free file-sharing services to send business information, they are often sticking files on a USB thumb drive, smartphone, or other external device. More than two-thirds (78%) of survey respondents say they are using such means to move or back-up work-related files.

These methods are simple, cheap and convenient – and extremely risky. Consider that 31% of respondents lost an external device containing sensitive business or personal information. Findings from a survey conducted by Ponemon Institute highlight a related risk. The survey found that 55% of information lost on USB flash drives is likely due to malware-infected devices that introduced malicious code on to corporate networks.

Visibility into data movement is low
Most companies create and maintain company policies that mandate the use of approved tools for moving and sharing information. In fact, nearly 67% of respondents to the survey said they have such policies. However, fewer than 32% of those with policies in place strictly enforce the policies, making these mandates largely meaningless.

FREE: 
A copy of the Ipswitch survey report and/or a free 30-day evaluation of the Ipswitch MOVEit automated file transfer solution, are available here:  http://www.ocgsystems.com.au/managedfiletransfer/

Or Contact
James Minett
OCG Systems
1300 624 797
info@ocgsystems.com.au