23 Sep 2016

The Widening Gap Between IT and End Users Report – Vulnerability is in the Employees

An independent study from Ponemon Institute and Varonis was published last month highlighting the widening gap between IT and end users.

Although the UK Government, IT providers, security specialist, the media and many IT department have been highlighting the concern about cyber attacks and security breaches, this study reports a disappointing trend for businesses across the US and Europe.

The study surveyed 3,027 employees in the US, UK, Germany and France in April and May 2016. The results were compared against a similar survey conducted in 2014 with employees who were similar in demographics and types of organisations they work in.

A Security Blow for the Business IT World

The study reported that there has been:

  • An increase in the loss or theft of data
  • An increase in the number of employees with access to sensitive data
  • A greater certainty that insider negligence is the primary problem for businesses

Results indicate that end users are now less likely to be taking all appropriate steps to protect company data as well as suggesting that security and data protection policies aren’t enforced strongly enough. However, looking at the IT response, they believe that both the employee habits have improved and their organisations’ enforcement of security policies has slightly improved in the last 2 years.

In addition to this, somewhat concerning is that whilst 61% of IT security respondents view data protection as a high or very high priority, 29% view it as moderate. It is surprising that IT people who are very aware of the current security challenges and the framework of the GDPR, aren’t seeing data protection as a higher priority. It would be interesting to find out why as IT security and data protection go hand-in-hand.

Mind the Gap

Whilst the IT team needs to make sure the technology is up to date with the latest versions/patches, the results highlight that the biggest compromise sits with insider negligence. External attackers, malicious employees/contractors are recognised as a threat but with a lower risk.

Through IT, end users can accidentally leak data/put it at risk and not appreciate the real impact/think they have fixed things themselves and notify a manager/Director who will action a recovery process. Simple mistakes can be made such as:

  • Sending the wrong document
  • Oversharing on social media
  • Losing a laptop/have it stolen – do they store information locally or do you stop this and make sure everything is saved onto the company server. Do you have a way to remote wipe the device?
  • Misplacing a USB drive/memory stick with important data on it? Or picking one up and inserting it into a company computer to find out it has a virus on it.
  • Sharing their password with another employee to access the system or uses the same password for all online accounts – hack one, access all!

When reflecting on insider negligence, most people will naturally think about the end user. Whilst the end user has carried out the action resulting in a breach; what has the company done to educate that end user, what processes and investments has been implemented in IT to protect the company?

Therefore, doesn’t this negligence also apply to the Director’s/owners of the business as the ultimate decision makers? As leaders of the business, do they not have a duty to take responsibility? The GDPR reflects this thought – it doesn’t penalise the employee; it focuses on the business. Director’s and business owners are not expected to be experts in security, but there are plenty of skilled businesses out there who can help and provide guidance.

Understanding the Threat

If you asked any employee to articulate their understanding of IT security related issues for your business, how well could they? These are the people who have access to your company information and are the most likely to:

  • Open a virus through a download
  • Accept malware through aphishing attack
  • Introduce their mobile device onto your network without having it checked by IT
  • Forget to update their security settings
  • Use less complex passwords

There are things you can do such as managing IT updates centrally so you are not reliant on your employees managing these. But are they, for example, aware of the risks associated with public WiFi? Most employees will carry out an action believing they are doing the right thing for the business and improving their productivity without the awareness of the risks. Unfortunately, outsiders will take advantage of this.

Question then Action

Guidance and accountability has to start from the top Businesses need to engage with their end users and build awareness so everyone questions what they are doing before carrying out the actions. If something doesn’t seem right, it often isn’t.

This is a long-term commitment not a short-term quick fix. As well as briefing employees (existing and new joiners) and making them aware of security related policies coming into effect; a good educational tool is to communicate with all employee’s every time a breach is experienced. Explain how the breach occurred, what to look out for, how it impacted the company, how it recovered and any updates made to company processes to avoid this happening again. This doesn’t involve ‘naming and shaming’ which will be detrimental to what you are trying to achieve – who is going to admit to clicking on a bad link knowing they are going to be named for doing so; it is a chance to educate everyone with a very real scenario. Combine this with a regular communication about attacks that are happening in the market, what the industry is trying to do to protect businesses and what employees can do; and you are already moving in the right direction.

Prioritising Security

Ultimately, if a business wishes to protect its data, then it needs to take security seriously and close down its vulnerabilities.

Some key points to take away from the report:

  1. Acknowledgement needs to come from the top down and leaders need to make data protection a priority.
  1. Make sure end users understand the importance of information security in relation to their productivity.
  1. A lack of controls leaves any business unnecessarily open to breaches. Don’t just write the policies, make sure they are adhered to and people understand why.
  1. Make sure everyone understands the repercussions of a data breach and actually, recognising that accidents can happen, the urgency of letting managers know if they have caused a breach so it can be handled as best as possible.
  1. Streamline the company processes and set rules around employee access data. This will reduce the risk of breaches due to insider negligence. This should also improve employee productivity.


If you would like to discuss any of the above, please do get in touch and call us on 01727 843888 or email us at