Half of Irish SMEs have had data lost or stolen because of employees with privileged access
More than half (57%) of SME owners in Ireland have had data compromised, lost, or stolen due to employees with privileged access to data. This is according to managed IT and cyber security solutions provider Typetec’s 2022 cybersecurity survey.
The survey of 200 small and medium-sized business owners, commissioned by Typetec and conducted by Censuswide, revealed that 82% of SME owners believe that overprivileged users are a threat to their business. Overprivileged users are those employees with more logins and access to sensitive data and files than are required to carry out the duties assigned to them.
However, 32% of SMEs do not have a process in place to manage employee privileges. To add to the concern, 57% of SME owners admitted that employees who have left the business have retained privileges, meaning they can still access confidential company data after their last day of work.
Currently, 20% of Irish SMEs do not have full visibility of all company data stored on employee devices, including personal devices used for work purposes.
When it comes to cyber security incidents, the research shows that 70% agree that there is a ‘blame culture’ in cybersecurity which delays incident reporting.
Following on from this, 22% of SME owners say that in the event of a security data breach they would not let all affected customers and employees know immediately. Similarly, 19% believe that all their employees would not immediately report a data breach on a work device.
Trevor Coyle, chief technology officer, Typetec, said: “The survey shows us that employees who retain their user logins, passwords etc. to company data after they leave puts an organisation at great risk. Businesses need to think of privileged access as a digital key to company files. You wouldn’t let an employee who is moving on from the organisation keep a key to the office, so don’t let them keep a digital key to essential company data.
“This paired with human error can lead to the loss of critical data, which can be detrimental to the reputation of a business. The solution is to use privileged identity management, while still monitoring access to data on a consistent and timely basis to avoid data theft and loss, and to train staff around such incidents in order to reduce the risk of costly mistakes.
“It’s also clear that reporting cyber security incidents can be delayed due to fear of blame among staff. It’s important that employees feel comfortable enough to report cybersecurity breaches and that an ethos of mindful data management is instilled through ongoing security awareness training. Time is of the essence when it comes to data restoration and recovery, so employees need to be encouraged to be responsible and act fast.”