Annual Data Exposure Report 2022: Part II
The Great Resignation, the Great Reshuffling, the Great Reprioritization, or just The Big Quit. Whatever you want to call it, 9 in 10 executives say they’re experiencing higher-than-normal turnover. It’s causing all sorts of problems for companies — and our Annual Data Exposure Report 2022 homed in one of those problems: the surge in data theft and leak from all these departing employees. Every time an employee leaves your company, there’s a greater than 1-in-3 chance they’re taking some IP with them. We call this data exposure Insider Risk.
What the 2022 DER tells us
Vanson Bourne independently conducted this year’s Annual Data Exposure Report 2022 study, surveying 700 business leaders, security leaders and practitioners from companies in the U.S. The study uncovered three key trends driving increased data exposure:
1. Cloud technologies drive the modern workforce: The continued adoption and use of cloud technologies by the hybrid-remote workforce – sometimes unsanctioned by IT – and security’s lack of visibility into data as it moves across those technologies.
2. The Great Resignation: Sustained, high turnover increasing risk of departing employees’ theft of corporate data – IP, source code, customer information and product plans.
3. Internal misalignment on Insider Risk: Ongoing misunderstanding and poor communication between stakeholders at the board, security leadership and security practitioner levels on the subject of data exposure and exfiltration.
This is part two in a three-part blog series on these key trends. You can check out the first post here — and stay tuned for the final post in the coming days.
The Great Resignation throws sparks into a data exposure tinder box
We’ve been talking about data risk from departing employees for years now — it’s one of the top indicators of Insider Risk. Occasionally it’s malicious; more often than not, it’s just an employee “looking out for number one” — taking the files and data from work they helped create and naturally feel a sense of pride and ownership over. In fact, our research shows that every time an employee quits, there’s a one-in-three chance they’ll take company intellectual property – not just any kind of data, but IP – with them. Now multiply this risk by record-high turnover rates. The Great Resignation makes this “old” problem an urgent problem for every business. People continue leaving their jobs at record rates, month after month. The latest figures show a record-high 4.5 million Americans voluntarily left their jobs in November; roughly 33 million people have quit jobs since April 2021.
If the cloud-powered hybrid-remote workforce is the kindling that creates a flammable situation, the Great Resignation is an ongoing shower of sparks — a dangerous catalyst for data exposure and exfiltration. People are leaving more often than ever. It’s easier than ever for them to take data. And it’s harder than ever to see and stop it.
Security spending isn’t keeping up with departing employee insider risk
Our 2022 Data Exposure Report showed that this heightened insider risk from the Great Resignation isn’t exactly shocking news to companies. Nearly everyone — 95% of business leaders, cybersecurity leaders and cybersecurity practitioners — agree that high turnover is raising cybersecurity concerns. A similar 97% say they have cybersecurity concerns around the remote work shift that’s happened over the last two years. Yet, our research also showed that the vast majority of companies aren’t really able to see this data exfiltration at all — hampering response before the employee (and the data) is long gone: Nearly three-fourths (71%) of respondents said they lack visibility over what and/or how much sensitive data departing employees take to other companies.
Despite these results suggesting a painful awareness of the problem around departing employees, companies aren’t throwing money at addressing this issue. For example, less than half of companies are making it a top-2 priority to improve tech around their hybrid-remote workforces. Overall spending on insider risk management tech and programs barely increased at all over last year. And 73% of respondents say their current budgets fall well short of what they need to rise to the unprecedented challenges of growing cloud tech colliding with record-high turnover.
Competing priorities and miscommunication holding security teams back
The 2022 Annual Data Exposure Report also uncovered a big part of why companies aren’t attacking rising insider risk effectively: In the simplest terms, business leaders are focused on what data is being taken — the content and the value — while cybersecurity practitioners are predictably more concerned with how data is being taken. Understanding both the what and how are critically important. But a lack of alignment means no clear strategy. And if you can’t agree on where you want to go, it’s a lot harder to justify the budget to get “there.
We’ll dig more into this final trend — the gaps between cybersecurity practitioners and business leadership — in our next blog. In the meantime, you can go straight to the source: