80% of Organizations Have Sensitive Data Saved on Employee Devices, Against Policy

44% of respondents surveyed by SANS Institute admitted no controls in place at all to stop employees from copying PII to endpoints

MINNEAPOLIS, June 05, 2024 (GLOBE NEWSWIRE) — Organizations recognize the significant risks arising from sensitive and regulated data on endpoints, and are struggling to stop it, according to the inaugural SANS Endpoint Data Survey, conducted on behalf of CrashPlan by the SANS Institute. Although most organizations prohibit regulated and sensitive data from being stored on employee devices and try to stop it from happening, an overwhelming majority of respondents admitted their employees still save these protected data types on endpoints.

The SANS survey showed that three in four (78%) organizations store, process, or transmit some type of data that requires special handling because of externally imposed regulations or other standards, whether personally identifiable data (PII), financial data or intellectual property (IP). Regulatory compliance is top of mind as organizations seek to comply with GDPR and the UK Data Protection Act (DPA), the Payment Industry Data Security Standard (PCI DSS), HIPAA, and other frameworks. But despite the imperatives and efforts to enforce policies, survey results show that the vast majority of organizations aren’t able to control regulated data any more effectively than other types of data.

  • PII: 56% of organizations try to block users from copying PII data to endpoints, but 80% said some data remains on endpoints
  • Financial Data: 57% try to block sensitive financial data from being saved or stored on endpoints, but 76% said some remains on endpoints
  • Intellectual Property: 54% try to block sensitive IP from being saved or stored on endpoints, but 78% said some remains on endpoints
  • Technical data: 46% try to block technical data from being saved or stored on endpoints, but 80% said some remains on endpoints
  • Other data: 11% try to block other types of data from being saved or stored endpoints, but 74% said some remains on endpoints

“Regardless of policies, users are always going to work in the ways that they find fastest and easiest. Organizations need to consider the business needs that are driving users to store data on their local devices and take a human-centric approach to solving the problem. That means designing and using systems that make it easier for users to safeguard data than to expose it,” said Todd Thorsen, Chief Information Security Officer for CrashPlan. “The gaps driving risk to PII, IP, financial, and other types of data within day-to-day practices must be closed.”

The full SANS Endpoint Data Survey report along with a webinar highlighting key insights and data points is available for download here:

About CrashPlan
CrashPlan® enables organizational resilience through secure, scalable, and straightforward endpoint data backup. With automatic backup and customizable file version retention, you can bounce back from any data calamity. What starts as endpoint backup and recovery becomes a solution for ransomware recovery, breaches, migrations, and legal holds. So, you can work fearlessly and grow confidently.

About SANS Institute
The SANS Institute empowers current and future cybersecurity practitioners around the world with immediately useful knowledge and capabilities. The Institute specializes in the most comprehensive cyber security education, resources and training programs for individual practitioners and cyber teams worldwide.

Media Contact:
Maura Lafferty
Firebrand Communications