At least one in two employees believes it's acceptable to remove confidential data from the office. Sixty-eight percent of employees aged 18-34 say it's acceptable, and 50% of those 55 and older believe it's okay, according to a 2012 FileTrek document security survey of 2,625 Americans age 18 and older.
-- When the boss says it's okay: 48%
-- To finish a late-night project from home instead of having to stay at the office: 32%
-- To work over the weekend or while on vacation: 30%
-- When it is confidential information about themselves: 16%
-- When it can be brought back to the office before the boss knows it was gone: 2%
-- To show something to family or friends who promise to keep it confidential: 2%
Loose regard for confidential data has combined with free abundant disk space, the fluidity of the Internet, and simple drag-and-drop cloud repositories to create a new type of data loss right under the nose of IT.
The IT department already is busy defending data from more conventional attacks, such as socially engineered spear-phishing attacks, brute-force hacks on admin passwords, or raids on databases. These attacks come at the perimeter but a growing type of data loss is coming from the inside--users who lose an unencrypted thumb drive or laptop, or who share a couple of gigabytes in SugarSync.
Once the data has left the domain, it essentially is lost because control of the data has been lost. Shadow IT projects--those unknown by IT--create data sprawl and contribute to greater risks for data loss. Multiple versions of a spreadsheet can be anywhere in or out of the organization and even robust document management systems such as Autonomy Filesite, which can create user profiles, version histories, and audit trails, cannot trace the location of files that have been locally checked out of the repository.
There's also the problem of change conflicts. When there are multiple copies of data and no change-management system in place, it can be hard to know which version of the file is the most current.
So why do nearly half of employees think it's fine to move confidential data offsite--yet 79% also believe it's grounds for termination? I put this question to Dale Quale, CEO of FileTrek. "It's kind of like when you were a kid," said Quale. "Your parents tell you don't play with matches, but until you get burned ... you think of it as more of a guideline than as a rule. In other words, you have to get caught or have a fear of getting caught. I don't think people fear being caught. IT policy still hasn't caught up with the new consumerized enterprise, so the penalties really aren't in place." Quale added, "It's all about how they've grown up. People post private information about themselves all the time and share it with complete strangers. I think it's difficult for them to distinguish between workplace confidentiality and personal confidentiality."
FileTrek--who sponsored the Harris survey--is one of a number of startups such as box and Egnyte to combine document management with cloud storage. And though it's not an enforcer, FileTrek provides the ability to trace and audit data even outside the enterprise. Once a file is shared there is a forced compliance: the recipient must install the desktop client (an iOS app is coming soon) in order to open and view the file. Once the recipient does this, the audit trail continues. If the recipient doesn't install the software, they can't use the file. Changes made to the file are changed in all iterations.
Used with a clearly defined policy that both details the scope of what's confidential and the consequences for failing to comply, products such as FileTrek can act as a deterrent to private data leaving the company. It puts users on notice that their actions are being tracked. At the same time, it doesn't interfere with the overall goal of sharing files with colleagues and clients.