80% of Organizations Have Sensitive Data Saved on Employee Devices, Against Policy

44% of respondents surveyed by SANS Institute admitted no controls in place at all to stop employees from copying PII to endpoints

Organizations recognize the significant risks arising from sensitive and regulated data on endpoints, and are struggling to stop it, according to the inaugural SANS Endpoint Data Survey, conducted on behalf of CrashPlan by the SANS Institute. Although most organizations prohibit regulated and sensitive data from being stored on employee devices and try to stop it from happening, an overwhelming majority of respondents admitted their employees still save these protected data types on endpoints.

The SANS survey showed that three in four (78%) organizations store, process, or transmit some type of data that requires special handling because of externally imposed regulations or other standards, whether personally identifiable data (PII), financial data or intellectual property (IP). Regulatory compliance is top of mind as organizations seek to comply with GDPR and the UK Data Protection Act (DPA), the Payment Industry Data Security Standard (PCI DSS), HIPAA, and other frameworks. But despite the imperatives and efforts to enforce policies, survey results show that the vast majority of organizations aren’t able to control regulated data any more effectively than other types of data.

Recommended : Key Insights Into The Utility Of AI In The College Application Process

  • PII: 56% of organizations try to block users from copying PII data to endpoints, but 80% said some data remains on endpoints
  • Financial Data: 57% try to block sensitive financial data from being saved or stored on endpoints, but 76% said some remains on endpoints
  • Intellectual Property: 54% try to block sensitive IP from being saved or stored on endpoints, but 78% said some remains on endpoints
  • Technical data: 46% try to block technical data from being saved or stored on endpoints, but 80% said some remains on endpoints
  • Other data: 11% try to block other types of data from being saved or stored endpoints, but 74% said some remains on endpoints

“Regardless of policies, users are always going to work in the ways that they find fastest and easiest. Organizations need to consider the business needs that are driving users to store data on their local devices and take a human-centric approach to solving the problem. That means designing and using systems that make it easier for users to safeguard data than to expose it,” said Todd Thorsen, Chief Information Security Officer for CrashPlan. “The gaps driving risk to PII, IP, financial, and other types of data within day-to-day practices must be closed.”

Latest HRtech Interview Insights HRTech Interview With Lavonne Monroe, VP Of Global Talent Acquisition And Onboarding At HPE

[To share your insights with us, please write to psen@itechseries.com ] 

Against PolicyEmployee DevicesNEWSOrganizationsorganizations prohibitSANS Institutesensitive dataTodd ThorsenUK Data Protection Act (DPA)