Ever since pivoting Nira into a cybersecurity company focused on document access control, my co-founder Hiten and I have been curious to learn more about how employees think about security. We’d seen plenty of surveys of IT teams, but we hadn’t seen a robust dataset about employee security practices.
So we surveyed 311 people working at companies of all sizes, and asked them about their own security practices.
There were a few key areas we asked about:
- Who is responsible for security?
- Are companies getting SOC 2 certified, and are they using software to help?
- Do people add their personal accounts to documents?
- Does vendor access ever get audited?
- Are people taking documents with them when they leave companies?
State of IT and Security Focus
Depending on your company’s size, you’ll either have no one in IT, a lone IT person, or an IT team.
62% of the people we surveyed said their company has an IT person or an IT team.
This number invariably goes up as a company scales.
Only 27% of the people we surveyed at smaller companies (1-25 people) had an IT person/team.
That number rose to 72% for companies with 26 to 200 employees. And it was nearly 98% for companies with over 201 employees.
For companies without an IT team or person, the administrative work typically falls on company founders, operations, and engineering. These companies typically don’t have the specialized expertise and knowledge in-house that an IT team brings.
We believe that every company that works with and stores any kind of customer data should consider themselves a security company.
Most of the people we surveyed demonstrated this belief, with 77.5% saying that they felt that security was a priority at their company.
Almost all people (94%) working at companies with 201 to 10,000+ employees said that security was a priority at their companies. We’d actually hope that this number was even higher, considering that these companies are all touching confidential information.
This number drops down to 73% for employees of companies with between 26 and 200 people. And even lower – 66% – for those at companies with 1 to 25 people.
This gap could mean a few things. These companies might not have security training or practices in place, or they might have breaches or poor security practices happening that don’t demonstrate a security-first mindset. They are likely more susceptible to breaches and security mishaps, since employees might not have the required training, and the company leadership may not be making security a priority.
SOC 2 Compliance
Software tools that help companies achieve their SOC certifications have been gaining traction in the last few years. This trend has enabled more and more companies to get their SOC 2 certifications, especially startups. With the help of software, smaller companies can get their certifications without needing to hire specialized talent or devote a lot of time to manual evidence collection for auditors.
So we wanted to know, what percentage of companies actually have their SOC 2 certifications?
We were surprised that the numbers weren’t higher.
Only 23% of respondents said yes, their company had its SOC 2. Just under half – 47.6% – said their companies didn’t have a SOC 2. And 30% said they didn’t know.
These numbers are much lower for the smallest companies.
Only 8% of people from companies with 1 to 25 employees said their company was SOC 2 certified. Most of the smaller companies who don’t have their SOC 2 certification either don’t have the resources to get it yet, or they aren’t servicing customers that require a SOC 2.
About a quarter (23%) of people from companies with 26 to 200 employees said their companies have their SOC 2 certification.
That number rose to 40% for people at companies with 201 or more employees.
Having a SOC 2 certification means that companies have processes and systems in place to better safeguard information and operate in a more secure way.
Even though the number of companies with their SOC 2 is still low, it appears that more companies are adopting the SOC 2 framework.
We asked, “Did your company have its SOC 2 certification last year?”
This time, only 19.3% of people said yes, compared to 22.5% that said they have it this year. Growth in certifications was evenly distributed across company sizes.
SOC 2 compliance software has been growing in popularity.
New SOC 2 vendors have been popping up over the last few years to assist companies seeking their SOC 2 certifications.
But how many companies are using this software?
16% of respondents said that their company is using SOC 2 compliance software.
Nearly 8% of people at companies with 1-25 people said their companies were using the software. This tracks with the 8% that said their company was SOC 2 certified.
17% of people at companies with 26 to 200 employees said they were using SOC 2 compliance software. And 27% of people at companies with 201 to 10k+ employees said that their companies were using SOC 2 compliance software.
Access Control and Security Responsibilities
Do employees really lose access to company documents once they’ve been offboarded?
Most people think once you offboard someone and remove their access, that person no longer has access to company documents. But it’s not accurate.
Typically, when companies offboard employees, they’ll turn their Google accounts off and transfer ownership of documents to a different account. Usually accounts in other cloud tools also get turned off.
But these offboarding procedures have gaping holes.
We asked survey participants “Have you ever left a company but could still access company documents in Google/Microsoft/Box/Dropbox?”
Over a third – 35% – said yes, they could still access documents. That means over a third of people looked to see if they could access documents after they left a company, and they actually could. That’s a lot of risk and potential for document exfiltration. And it’s also a breach of many compliance frameworks that require full offboarding of employees, like SOC and ISO.
37% of people we surveyed said they could not access company documents after they left. And the remaining 27% said they never checked.
That means that over a third of people have been able to access company documents after they left an employer, and that number could be much much higher if the other 27% checked to see if they could access documents.
This is a massive risk for companies. Former employees can use that information for future jobs, including working with competitors. Plus, the information could leak out into the public since it isn’t secure, and cause the company anywhere from thousands to millions of dollars in damage.
This problem persists across small and large organizations.
For people who work at companies with 201 employees up to 10k plus employees, 32% could still access documents after they left an employer.
30% of people at companies with 26 to 200 employees said they could get to company documents.
And 39% of people at companies with 1 to 25 people said they could access company documents after they no longer worked at an employer.
This is a massive issue for companies of all sizes, and most systems and processes that companies are using don’t protect against it.
It’s easier than ever to share documents with outside parties. And that includes employee personal accounts.
When people think about document access issues, malicious acts are what typically come to mind. But in reality, many of the document access problems are accidental and not intentional.
One type of accidental unauthorized sharing is employees adding personal accounts without meaning to.
Over half (52%) the people we surveyed said they or a coworker had accidentally added their personal email to company documents. That’s way higher than we expected!
13% of respondents said they weren’t sure, and 35% said they hadn’t.
This problem exists at companies of all sizes, and it actually appears to get worse for larger companies.
Half of the people we surveyed at companies with 1-25 employees said they or a co-worker had accidentally added their personal account to company documents. At companies with 26 to 200 employees, 56% said they had accidentally added personal accounts before. And 51% of people from companies with 201 to 10k plus employees said they had accidentally added their or another employee’s personal account before.
That’s an awful lot of personal accounts being added to documents. And most of the time, companies have no idea those personal accounts even have access.
Nira can tell you exactly which personal accounts have access to company documents and exactly which documents those accounts can access.
To see which personal accounts have access to your company’s files, request a demo of Nira.
Not only are people accidentally sharing company documents with personal accounts. They’re also inadvertently creating company documents using their personal accounts.
In fact, I noticed when sharing the draft of this post with my co-founder that I had accidentally created the document using my personal account instead of my Nira account. It’s just that common.
When asked “Have you ever accidentally created a document for work using your personal email account?” 51% of respondents said they had. 45% said they hadn’t, and 5% weren’t sure.
Documents created by personal accounts are at higher risk, because IT teams don’t have visibility to those documents.
These documents could have a myriad of issues. They might have public links or even other personal accounts with access. The personal accounts that made the documents might not have security features like two-factor authentication turned on, and there’s no way for a company to monitor that like they can with their own domain.
The documents can contain company IP and confidential information, or customer information that shouldn’t sit outside of the company’s own domain accounts.
Once an employee leaves a company, the documents they accidentally created using their personal accounts aren’t on IT teams’ radar. The documents disappear into the ether, at risk of being accidentally leaked. These personally-owned documents can also be used by employees once they’ve left a company. Or they might be deleted, which means the company loses a bunch of intellectual property.
The number of documents accidentally created on personal accounts is lower for larger companies, though still concerning. 37% of people surveyed at companies with 201 to 10k+ employees had accidentally created company documents on their personal accounts. That’s compared to 56% of people at companies with 1 to 25 employees and 62% at companies with 26 to 200 employees.
One question we were dying to get the answer to was, what percentage of people take documents with them before they leave a company?
We knew this was a super common behavior, but are people willing to disclose that they are taking documents?
Almost half – 45% of people – were willing to admit that they’d taken documents before. And another 9% said they’d rather not say.
That’s way higher than we expected. That means just under half of people have taken documents from their former employers, and an additional 9% may have too but just don’t want to admit it. Not to mention all the people who said no but probably actually have taken documents before.
This number was highest for people who were currently at companies with 26 to 200 employees. 50% of them said they’d taken company documents when exiting an employer before.
44% of people who work at companies with 1 to 25 employees said they had taken documents, and 43% who worked at companies with 201 to 10k plus employees said they took documents.
That’s a ton of risk for companies. And oftentimes, it’s not being mitigated at all.
Another area of concern for companies is sharing information with outside parties. Collaboration is happening constantly between companies, but how often is a vendor’s access actually revoked once a company is no longer working with them?
41% of respondents said they sometimes removed access, 40% said they always did, 12.5% said they rarely did it, and 7% said they never removed vendor access.
This means that vendor access persists for most companies after projects have been completed, unless IT is actively monitoring this and knows which vendors have access and which should no longer have access.
This challenge is a bit less of a problem for larger companies, but it’s still an issue. While 48% of people at companies with 201 to 10k plus employees said they always removed access, 36% said they only removed access sometimes.
Most companies have no idea which vendors had or have access, and are not offboarding these external companies when projects are complete.
Document access issues pile up fast and they go unnoticed at companies of all sizes. But who is responsible for securing access to company documents? Is it IT? Someone else?
We learned that most employees think they are responsible for securing access to their documents.
A whopping 55% said they were responsible for securing access to the documents they create. That means that more than half of employees think they should be securing their own documents.
About a quarter, 24%, said that IT was responsible, 11% said the security team was responsible, and 10% said that they thought no one was responsible.
Ownership of who has access to company documents shifts a bit from an individual to IT at larger companies.
At companies with 201 to 10k or more employees, 49% thought they were responsible for securing the documents they created, while 32% thought that IT was responsible and 16% thought Security was responsible.
AAt companies with 26 to 200 people, 47% thought they were responsible, 32% thought IT was responsible, and 7% thought that security was responsible.
Although most employees believe they are responsible for securing access to company documents, today, most don’t actually have a tool to help them. So document access issues persist.
With the proliferation of online collaboration tools, controlling who has access to company documents and who doesn’t is a responsibility that doesn’t just fall on IT and Security teams at companies. Each and every employee becomes responsible for securing the documents that they create and share with co-workers and external parties
At Nira, we’re committed to exploring these problems, sharing what we learn and creating solutions for entire organizations.
Request a demo today to see what Nira can do to protect your company’s documents from unauthorized access.