Egress – some real guidance on the Insider Threat

I am seriously annoyed by most surveys I get to read – they’re mostly meretricious attempts to generate clickbait headlines.

So, it was a pleasure when Egress, a “People-centric data security” company that enables people to classify and share unstructured data securely, presented me with its Insider Data Breach survey. The press release, and access to the full report, is here.

This survey was carried out by a specialist in bespoke market research, Opinion Matters and talking to it confirmed that it understands sampling and survey “good practice”. Perhaps the most immediate clue to its understanding of survey good practice is that it warns its clients that they must be prepared for the survey results not to support their initial expectations. This is not, I imagine, a problem for cosmetics companies surveying 150 people taken to a wellness parlour, all expenses paid, and asked to comment on the efficacy of organic lily pollen or whatever (“136 of 150 men surveyed thought that visible signs of skin ageing were reduced”).

So, what did this survey discover? Well, I wasn’t very surprised to learn that 95% of IT Leaders (in a sample of 252 US-based and 253 UK-based IT leaders and 2004 US-based and 2003 UK-based employees) are concerned about the possibility of data breaches. What is more interesting is increasing signs of a disconnect between leaders and employees in this area. Either leaders don’t trust their employees (either their morals or their ability) or they aren’t selling company security policies effectively to employees, or (most likely) all of these. What should really worry them is that many employees (around 20%, and especially younger ones) apparently think that they have some sort of “ownership” of data that they have collected, managed or distributed, and can therefore use it as they see fit. The implications for regulations such as GDPR (and intellectual property regulations) don’t bear thinking about. What is needed, I think, are effective education and cultural change initiatives, sponsored from the very top of the organisation.

Tony Pepper, CEO and co-founder of Egress, says:

The results of the survey emphasise a growing disconnect between IT leaders and staff on data security, which ultimately puts everyone at risk.

Now, perhaps you think that all that is rather obvious. Possibly; but it is actually rather important to test the obvious and set baselines. Sometimes “what everyone knows” is simply rubbish (or, worse, the result of a deliberate “fake news” campaign). It is important to quantify the obvious.

Then, good research suggests new questions and further research. In this case, the responses from the UK and the US were fairly similar and perhaps their cultures are too similar. What if you conducted the same survey in the Nordic countries which, anecdotally, pay more attention to human and emotional factors at work? Would the results be different? Can you quantify the anecdotal attention to human factors in Nordic countries a bit? I hope that Egress carries out more surveys in the future and extends the scope of the questions it asks.

Egress is, obviously, not disinterested in its survey; but I think it genuinely seeks knowledge and clarification of Insider Threat issues, rather than just support for its marketing activities. More knowledge of the bigger picture, from altruistic research, is actually valuable to Egress’ marketing efforts around its specific products, I think. So, I also hope that Egress finds some way to donate its research to some independent industry body, where it can help to illuminate the security threat domain generally.