Nearly 90% of CIOs are concerned that their current security policies and procedures are putting them at risk of serious fines under new European data protection laws, according to a new study from Egress Software Technologies.
The encryption services provider claimed that 87% of the IT leaders it spoke to from companies with more than 1,000 employees were worried their firm was at risk of fines of up to 4% of annual turnover, according to strict new penalties levied by the European General Data Protection Regulation (GDPR).
In addition, over three-quarters (77%) of respondents said they were frustrated that staff failed to use technology like encryption made available to them to ensure they work more securely.
Egress CEO, Tony Pepper, claimed users often find ways to bypass security measures and “take the risk” if they think these tools will slow down business processes.
“Another problem is that IT is often as resistant as users. As the research shows, ease of deployment is a big driver for selecting what technology gets prioritized and dealing with users is often a bit of a headache,” he told Infosecurity.
“This is creating a real barrier to deployment. When asked to describe discussions they had had around deploying encryption-based secure communication solutions – such as email encryption – almost half of the respondents said they thought users would find it too complicated and it’d create a help desk nightmare.”
The study also appeared to reveal that the series of high profile attacks publicized in the media over the past year are having an effect on security policy.
Some 49% of respondents said they prioritize external threats, while just 20% focus mainly on accidental breaches from within – despite the latter accounting for the vast majority of incidents.
Pepper argued that IT leaders must make security “invisible to the user” so that it’s seamlessly integrated into the everyday tools they’re used to using – but added that “technology is really just half the battle.”
“If you want people to adopt security you need to make them understand why – the education piece is vital. This could be someone sending an email, but equally it could be making them understand why they should not click on a phishing email,” he argued.
“This also includes having clear policies and procedures around data, so that everyone knows exactly what level of information assurance should be applied in each situation. There should be no ambiguity.”