Executive

Guidance
Managing the Hidden
Causes of Data Breaches

Introduction

Think about it: each time a customer uses a store loyalty card, drives away in
a new car, or buys a pair of shoes, data is being collected, processed, and used
to predict their next purchase, develop a new product or service, or improve
a marketing campaign. Similarly, each time an employee clocks in, sends an
e-mail, or spends time on the Internet, data is being collected that could measure
his or her productivity, work habits, likelihood to stay, and even potential for
risky behavior.
In 2015 alone, customers, employees, and other users created about 7.9 zettabytes
of data globally. By 2020, that number is expected to reach 35 zettabytes.1 To
put that in context, if gigabytes were dollar bills placed on top of one another,
the stack would stretch to the moon and back almost five times. But its more
than just the growing volume of data; the types of information collected are
multiplying as well. Where organizations once gathered mailing addresses and
telephone numbers from their customers, new technologies now allow them to
track demographics, web histories, buying preferences, physical location, and
even biometric data.

Each time an employee clocks in,

sends an e-mail, or spends time
on the Internet, data is being
collected that could measure his
or her productivity, work habits,
likelihood to stay, and even
potential for risky behavior.

Thanks to rapid advances in computing power and analytics, companies can

collect and process data on a massive scale in real time, allowing them to
fine-tune their products, marketing campaigns, and business operations. The
advent of big data, machine learning, and predictive analytics gives progressive
companies that can harness this potential a competitive advantage by not
only growing revenues but also improving efficiency. Perhaps its no surprise
leadership teams are finding that their data strategy is integral to their corporate
strategy. Now more than ever, corporate performance is being determined by
how quickly and efficiently information can be collected, managed, and applied
to make business decisions.

CSC, Big Data Universe Beginning to Explode, 2012, http://www.csc.com/insights/

flxwd/78931-big_data_universe_beginning_to_explode.

More Information Can Be a Blessingor a Curse

For many executives, it can feel like more information is better. Unfortunately,
collecting a virtually unlimited amount of customer and employee data poses
a serious problem for organizations, as the amount of information they collect
often outstrips their ability to protect it. In 2014, 43% of companies experienced
at least one data breach.2 And the severity
of these breaches is increasing too; the
of companies experienced at
average total cost of a data breach rose
least one data breach in 2014.
this year to $4 million (a 13.6% increase
from 2014).3

43%

These numbers are especially scary given that 76% of information risk executives
believe it is now harder (or significantly harder) to prevent data breaches than
in the past. Worse, if the breach contains certain types of sensitive personal
information (e.g., social security numbers, health records, credit card numbers),
it can constitute a privacy failure, and additional legal duties are triggered that
could prove burdensome and invite increased regulatory scrutiny. And, of
course, theres the reputational damage; more than 90% of US Internet users
say they avoid companies that do not protect their privacy.
The Rising Cost of Data Breaches
Average Total Cost of a Data Breach
(in Millions)

As Compared to Two Years Ago, How Would

You Rate the Difficulty in Preventing a Data
Breach Today?
Percentage of Respondents

= 13.6%
$3.5

2014

$3.7

2015

$4.0

10%

14%

24%

52%

Stayed the
Same

Significantly
Harder

2016

Source: CEB analysis; Ponemon Institute, 2016 Cost of Data

Breach Study: Global Analysis, June 2016.

Easier

Harder

To further complicate matters, its not just data collection and use that are
rapidly changing; the legal and regulatory environment is changing as well.
Depending on where data is collected, stored, and used, companies can be
subject to multiple (and potentially conflicting) regulatory frameworks for
managing data. This complexity is made worse as many countries, including
the United States, have yet to establish an overarching framework for
governing data.
Countries that do have governing frameworks are creating strong enforcement
mechanisms. For instance, the recent General Data Protection Regulation
(GDPR) set forth by the European Union provides for substantial penalties
for violationsas much as 4% of global revenue. That said, the recent vote by
the United Kingdom to leave the European Union highlights the regulatory
uncertainty companies will continue to face; the United Kingdom must now
determine its own laws and regulations on governing information (which could
be even stricter than those of the European Union).
Rightly so, boards and senior executives have begun to focus more of their
time learning to balance the benefits of data with the costs of ensuring its
protectionparticularly data related to their customers and employees. An
overwhelming 94% of information risk executives stated that their boards
cybersecurity concerns have increased. The typical companys first step in
reducing the potential for data breaches is to invest heavily in firewalls and
new technologies to detect intruders. Indeed, the average information security
budget last year was $14.7 million, and that budget is expected to increase by
an average of 5% in 2016 (with almost half the companies surveyed expecting
their budgets to grow by more than 10%).

n = 42 CEB member institutions.

Source: CEB May 2015 Information Risk Peer Perspectives Poll.

 lizabeth Weise, 43% of Companies Had a Data Breach in the Past Year, USA Today, 24 September 2014, http://www.usatoday.com/
E
story/tech/2014/09/24/data-breach-companies-60/16106197.
3
Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis, June 2016.
2

Technology Alone Wont Protect Sensitive Data

To be clear, technology is useful in detecting breaches and improper access to

information within companies. But technology is not a panacea. Despite rapid
technological advances and increased spending, breaches continue to grow in
number and severity. Why is that? Are hackers becoming more sophisticated?
Thats part of the reason, but it doesnt tell the whole story. Management
teams focus on technology to protect data has created a false sense of security
because even effective technical controls do not adequately address the causes
of privacy risks associated with organizations lawful collection andmost
importantlyuse of information.
Aside from implementing technology to secure their data, companies need to
address two common (and underappreciated) problems that are endangering
their data, reputation, and business performance:
1

Accumulatingand Not UsingToo Much DataIs it possible to have too much

data in the big data era? Yes, if the data collected is never used or is retained
beyond its useful life. Simply stated, keeping unused data unnecessarily increases
the riskand costof a potential data breach.
Overlooking Employees as a Threat to (or Ally in) Data ProtectionContrary to
what newspaper headlines might indicate, the majority of privacy failures stem
from insidersour own employeesnot external hackers. Most organizations do
not clearly understand how to control this internal risk and better use employees
to avoid a privacy failure.

Contrary to what newspaper

headlines might indicate, the
majority of privacy failures
stem from insidersour own
employeesnot external hackers.

Accumulatingand Not UsingToo Much Data

The simplest way to protect sensitive data from hackers or rogue employees
is not to have it in the first place. Thieves cant steal data that isnt there. But
companies drawn by big datas tantalizing promises can collect too much
information in the hopes that they might be able to analyze it later. Worse,
companies often keep data long after its usefulness has passed; data doesnt
need to be current for a data breach to occur. Disposing of data properly is just
as important as collecting it.
In the end, collecting data for datas sake often creates more risk than reward
or more headaches than opportunities. Theres a difference between big data
and lots of data, and organizations need to constantly evaluate how they use
data and set clear guidelines on what data they collect and store.
Assess the Value of Data Relative to Its Risk and Costs

As most executives realize, the risk of a data breach must be weighed against the
potential return from using the collected and stored data. As such, leadership
teams need to determine their risk appetite for data collection and retention.
Assessing and evaluating the true value of data and the potential risk of a data
breach will help leaders set their data strategy and avoid collecting too much.

Leadership teams need to

determine their risk appetite
for data collection and retention.

To establish a common data risk appetite and rules for data collection and
protection, executive teams should ask the following questions:
1

What is the business need for the information we collect?

Too often, companies use a collect now, analyze later approach to information,
thinking that more information is always better. Instead, leaders should consider from
the outset how the information will further their corporate strategy and performance.
Some areas to consider include:
How the information will increase revenue or reduce cost, including specifics on
how the data will influence decisions or processes that affect critical outcomes like
sales and employee retention;
Potential future uses for the data, including advances in analytic methods or new
strategic directions for the company; and
Current internal initiatives the data could enhance, such as Marketings evaluation
of potential product launches or improvements to website traffic and brand
awareness.
2

Do we have the capabilities and knowledge to use the data?

In addition to understanding the datas value, leaders need to assess honestly whether
their organization has the skills and capabilities necessary to collect, manage, and
analyze the data. In reality, many organizations live in a world of data abundance
but analytics scarcity. The data science skills and analytic know-how required to tap
into high-volume data streams and apply that information in decision making are in
high demand and, in many organizations, newly emergent. Executives should ensure
they have a capable team of analysts and data experts ready to turn data into insight;
otherwise, the data may sit largely untapped orworsemisused.
3

How would the public react to the information we collect and how we use it?

Although an enormous amount of data can lawfully be collected about customers

and employees, leading companies are working to better understand how people feel
about providing that information. Progressive leadership teams measure and consider
cultural beliefs and norms when weighing the benefits of collecting specific information
about customers and employees, understanding that perceptions change depending
on the jurisdiction. They weigh the datas potential value against the reputational harm
of the public knowing the information is being collected. Customers and employees
potential misperceptions must be considered, and the cost of bad publicity must be
factored into data collection and use plans.

10

What information needs to be protected (and at what level and cost)?

Keeping all company information secure is important, but certain types of information
(e.g., health records, social security numbers, credit card numbers) require heightened
protection under specific privacy laws or regulations. Losing such sensitive information
can turn a data breach into a full-blown privacy failure. Companies need to address and
classify these information types and understand the oversight and compliance costs
associated with their retention. As noted earlier, the potential cost of a data breach
involving sensitive data can be substantial and must be considered when determining
whether the information will advance business objectives.
5

How long should sensitive data be retained?

As mentioned, companies often keep data long after its usefulness has past. As
organizations adapt to the changing business environment, data collected from
previous initiatives can easily be forgotten and buried within corporate servers. Leading
companies are incorporating the data they collect into their records management
policies to ensure the data does not exist indefinitely. For instance, data from former
customers should be considered for proper disposal because a breach involving that
information could still trigger legal consequencessuch as the requirement to inform
all customers of the breach. Moreover, the customers information is likely outdated,
requiring a significant investment to track down current addresses and notify them in
the event of a data breach. Establishing datas shelf life is a critical step to minimize
the risk of a costly data breach involving low-value data.
6

Who needs access to the information?

Given datas various uses today, many employees will need access to the data or to the
results of the datas application. Fully understanding who will be working with the data
(especially sensitive data) can help prioritize risks and pinpoint potential breach points
more quickly. When determining this, leaders should identify who will handle the data
(e.g., IT, Marketing, HR), how they will use the data, and who might need continuous (as
opposed to one-time) access. In addition, steps should be taken to ensure employees
who dont need access to sensitive data dont have it.

11

Overlooking Employees as a Threat

to (or Ally in) Data Protection
Almost two-thirds of employees
Recent headlines might make hackers
regularly use personal
seem like the bigger threat to data
technologies for work.
security, but our research over the past
three years suggests that internal issuesparticularly employee errorsaccount
for almost 60% of privacy failures. Various factors drive this alarming statistic.
First, employees are not only working faster and with more data, but also with
more of their colleagues. The average employee today collaborates with 10 or
more individuals just to accomplish his or her day-to-day work. This means
more data changing hands and more opportunities for the misuse or loss of
sensitive information. In addition, with the advent of cloud-based productivity
tools, employees are more likely to send company data to their personal devices
or accounts, blurring the lines between personal and professional time. In fact,
almost two-thirds of employees regularly use personal technologies for work.
This is especially troubling because the decisions made by employees can often
create far more headaches than any malicious third party.

How and why do employees put sensitive data at risk? Simply stated, employees
typically create a data breach in one of four ways:
1

Employees are not only working

faster and with more data, but
also with more of their colleagues.

12

Unintentional Lack of AwarenessAn employee does not know that what he or

she is doing is wrong (e.g., collecting too much information from customers).
Unintentional MistakeAn employee knows the security requirements but makes
an error (e.g., sending a package or an e-mail to the wrong person).
Intentional, Malicious BehaviorAn employee intentionally opens doors for
hackers to enter the system or leaks sensitive information to people outside the
company.
Intentional, Non-Malicious BehaviorAn employee is aware that what he or she
is doing is wrong but does it to achieve another objective (e.g., getting work done
more easily at home, saving time).

13

Reasons for Employee-Based Data Breaches

Which of the following factors most significantly contributed to the data privacy
violations you observed or were involved in at your company in the past 12 months?
Select all that apply.

58%

Unintentional Lack
of Awareness

45%
Intentional, NonMalicious Behavior

44%
Unintentional
Mistake

8%
Intentional, Malicious
Behavior

n = 2,230 employees.
Source: CEB analysis.

Perhaps believing employees want to do the right thing, companies spend most
of their time and budget focusing on the unintentional causes of data breaches.
Not surprisingly, leadership teams invest in either training employees on
privacy issues to increase awareness or implementing technical controls to
limit mistakes. However, its dangerous to assume employees are always willing
to comply with rules, and it diverts managements attention from what may be
an equally significant issue: intentionally noncompliant behavior. Our research
suggests that intentional, non-malicious behavior accounts for a substantial
percentage of data breaches. The uncomfortable truth is that employees often
know exactly what they are doing when they put the companys most sensitive
data at risk. We call these employee behaviors rationalized noncompliance.
Rationalized noncompliance occurs when an employee is aware of a policy
or requirement but chooses to ignore itnot for malicious reasons but for
personal convenience or what the employee believes is good for the company.
For example, an employee might send work files to his or her personal e-mail
account to finish a project after hours because he or she doesnt have a laptop.
Or maybe the employee disregards the information sharing policy because it is
too difficult to understand. Perhaps the employee doesnt believe anything bad
will come of such actions.
14

More than 90% of employees

In many ways, improving data
admit to violating policies
security and privacy habits is change
designed to prevent breaches and
management on an organization-wide
noncompliance.
scale. It requires understanding how
employees will perceive change, paying particular attention to how it will affect
their behavior and ability to complete their work. The most frequent solution
security controlsis often perceived as added bureaucracy and a workflow
complication. More than 90% of employees admit to violating policies designed
to prevent breaches and noncompliance. In addition, control-based policies
only work in eliminating some common mistakes and may, in fact, contribute to
the risky behavior. Employees will work to find a way around onerous controls,
rationalizing their behavior as a way to make their job easier. In fact, we have
found that by far the biggest reason employees choose not to follow required
procedures is the level of burden they perceive. For example, when employees
think reporting observed misconduct is difficult, they are nearly 30% less likely
to do so. Similarly, our research indicates that the perceived burden of acting in
a data-secure manner has a strong negative influence on an employees choice
to act in that way.

Progressive organizations realize they need to manage both unintentional and

intentional employee behaviors if they want to guard against data breaches.
They actively work not only to create a secure data environment but also to
change employee behavior. They recognize that to promote secure behavior,
data security and privacy must be low effort. These organizations design
their privacy requirements to be integrated with or built into key business
workflowsespecially where sensitive data is at greatest risk.
To better embed privacy requirements into workflow, leaders should do the
following:
1. Focus on the workflows that handle data.

Not all work involves sensitive data. Identifying the key business processes
that collect, store, and use sensitive data will help determine where to design
controls and guidance directly into existing workflows. Natural places to start
include the processes for hiring new employees, creating new online services
and apps, and using mobile marketingall of which involve collecting or using
15

personal information. Prioritizing these processes should be based on the

potential amount of sensitive information to be handled and put at risk. In this
way, solutions can be managed at the source of the riskthe employee.
Examples of Business Processes That Involve Sensitive Data

High-Risk Business Processes

Application Development
Talent Acquisition
Talent Analytics
Website and User Interface
Development
Payment Transactions
Mobile/Individualized Marketing

Medium-Risk Business
Processes

Low-Risk Business
Processes

Social Media
Listening
Business Contact
Information

Customer Feedback Surveys

IT Systems Upgrades
Employee Benefits Enrollment
E-Mail Marketing
Text Marketing

2. Identify and address situations where noncompliance is more likely.

3. Rely on managers to drive compliance.

Business managers often have the best visibility into where privacy controls are
causing the most business drag. Involving them in the design and application
of privacy requirements increases their own privacy risk awareness and, at the
same time, allows them to be advocates of privacy compliance. Ensure managers
can provide input on how privacy requirements align with their teams work
and how the requirements are communicated. In addition, use managers to
identify the right formats and times for implementing privacy controls for
their teams. For instance, checklists and decision rules can often be helpful for
employees, but they might be irrelevant to wide parts of the business and, in
some cases, use terms employees do not understand. Working with business
managers will alleviate the use of privacy-specific jargon and allow employees
to ultimately get their work done faster.
4. Use a continuous improvement approach to align privacy
requirements and workflow.

Even in companies with strong controls, employees will occasionally face

changes in their operating environment or workload that increase the likelihood
of undesirable privacy behaviors. For example, at the end of a quarter, sales
employees may be more focused on hitting sales goals than meeting privacy
objectives. At these times, companies must overcommunicate the dangers
of mishandling or misusing data. Leaders need to reinforce the value of
compliance to individual employees, helping them make rational compliance
decisions by ensuring they understand the benefits of compliance and costs of
noncompliance.

To truly reduce inefficiency and minimize employee burden, every process

needs feedback to adjust to employee work realities. This is especially true
for information-related controls, as technologies often outpace the privacy
functions ability to adapt and work processes can change dramatically across
the business. As such, leading companies get real-time feedback by creating
sounding boards and feedback mechanisms for users who experience controls
frequently. Collecting direct feedback allows leadership teams to broadly
understand their controls effect on productivity and employee perceptions.

The good news is many of these situations can be predicted. It is often

possible to spot situations in which employee priorities might change or
become ambiguous: gaps in business performance, large projects with looming
deadlines, big changes in workload, or leadership or management transitions.
Leaders can intervene duringor, better yet, beforesuch events with
information, direction, and support for good security behaviors. For example,
some companies use targeted, five-minute refresher trainings to remind
employees how to act. They also create communication campaigns to remind
managers and employees how to work with sensitive data.

Lack of awareness on why controls and policies are necessary;

Perceptions that policies will complicate work, are time consuming,
or are unrealistic;
Difficulty in understanding, or simply accessing, privacy-related information;
Lack of understanding of key privacy terms and definitions;
Inability to contact managers or compliance team members; and
Dissatisfaction with responsiveness to questions or with turnaround time
on project reviews or approvals.

16

Companies should pay particular attention to feedback indicating:

17

Conclusion

As computing power continues to improve and more data becomes available,

collecting and using information will become increasingly critical to a companys
competitive advantage. In fact, many companies have already made their data
strategy a core component of their business strategy, even including the power
of data and analytics in their corporate mission statements. And real-time data
analytics have become critical to decision making for next generation products
and internal business practices. In short, information (and its use) is driving
many aspects of corporate performance. That said, companies must be careful
to ensure the information they do collect is stored safely and used properly.
Failing to keep data secureparticularly legally sensitive private datacan be
costly in terms of lost revenue, large penalties, and lingering reputational harm.

All data is not created equal, and

protection of the most sensitive
data requires a corporate-wide
effortincreasingly, protecting
data means changing work
patterns and employee behaviors.

18

Data is a strategic asset and must be managed as such. To truly reduce the risk
of a data breach that could derail a companys strategy or jeopardize its growth,
leadership teams need to understand that technology, while useful in stopping
hackers from accessing company information, does little to address how data is
collected, managed, and used. All data is not created equal, and protection of the
most sensitive data requires a corporate-wide effortincreasingly, protecting
data means changing work patterns and employee behaviors. Companies need
to ensure they collect only the data they need and can use to achieve business
objectives. And executives must pay attention to how data controls are perceived
and implemented, particularly by employees who are likely to view controls as
a burden or a barrier to completing their work.
Taking advantage of the wealth of available information to learn about
customers, develop better products, deliver service more efficiently, or better
manage the workforce doesnt have to be both a blessing and a curse. In fact,
establishing a more balanced approach to information governanceone that
complements technological controls with prudent and work-relevant privacy
policieswill allow companies to use information better while avoiding the
reputational and business damage of a data breach.

19

About Us

CEB is a best practice insight and technology

company. In partnership with leading organizations
around the globe, we develop innovative solutions to
drive corporate performance. CEB equips leaders at
more than 10,000 companies with the intelligence to
effectively manage talent, customers, and operations.
CEB is a trusted partner to nearly 90% of the Fortune
500 and FTSE 100, and more than 70% of the Dow
Jones Asian Titans. More at cebglobal.com.
2016 CEB. All rights reserved.CEB163532GD