A study conducted by Imperva has revealed that organisations in the UK have not changed their attitudes to the threat of insider breaches despite the lessons of Wikileaks. In its survey amongst IT security professionals 86% could not categorically state that they knew how many sensitive files their organisation had - only 41% had an idea where sensitive files were stored on their networks while 18% admitted they didn’t know. In fact, less than half (43%) knew which users had access to sensitive files while 32% confessed that their organisation had lost data as a result of people abusing file access rights.
Imperva conducted an identical survey in the US and, while there were similar levels of inadequate awareness and protection of sensitive files, the critical difference is that US IT professionals planned on taking some preventative action. In the US 82% of survey respondents stated that Wikileaks had forced them to rethink their company’s data security strategy, while in the UK only 32% are giving it a second thought. Additionally 70% of the professionals surveyed in the UK, versus 58% in the US, do not plan to increase the money they invest in data security.
Imperva’s CTO, Amichai Shulman, explains why these results should make organisations in the UK rethink their attitude towards data security, “The fact that almost a third of the organisations we spoke to had suffered a data breach indicates the importance of protecting files containing sensitive information. With 80% of all sensitive company data stored in files, and this number is estimated to grow by 60% annually, the problem of unidentified and unprotected files will also grow unless people start to take it seriously. Effective user rights management and file access monitoring will help organisations not only identify where their sensitive information is located, but also who is accessing it. Only then will they be able to accurately control its use and prevent its abuse.”
The survey of over 320 security professionals was conducted amongst visitors to RSA in the US and Infosecurity Europe in the UK.