VARONIS RESEARCH PAPERPrivacy and Trust

2Privacy and Trust Report

CONTENTS

EXECUTIVE SUMMARY __________________________________________2

METHODOLOGY _______________________________________________ 3

WHO RESPONDED ______________________________________________ 4

CONSUMER SECURITY BEHAVIORS ________________________________5

PRIVACY ASSUMPTIONS AND TRUST _______________________________8

CONCLUSION ________________________________________________ 10

APPENDIX ____________________________________________________11

3Privacy and Trust Report

EXECUTIVE SUMMARYIn the US, privacy has been viewed by many as a fundamental right,

so it’s not surprising that our expectations for privacy also carry into

the digital realm. In recent years, web users have experienced privacy

lapses from major social networks and many have unfortunately been

the victims of identity theft due to data breaches.1 Data privacy and

security is no longer just a concern for the technically savvy: web

users have by necessity become familiar with the basics of protecting

their personal data and controlling aspects of their privacy.

With this in mind, Varonis conducted a survey to learn more about the real world digital security practices of online users. Our survey validates the primacy of privacy in the digital universe: 91% assume businesses will protect their personal data and online identities, and a near unanimous 97% are more willing to do business with companies that protect their data.

Our survey tells us that consumers do take basic measures to protect their data. For mobile phone users, more than three out of four (77%) password protect their phones. Almost one-half of respondents (47%) have even activated more secure two-phase authentication for their online services. They are also curious about what companies are doing with their data: 71% are diligent about reading end-user-license agreements and terms-of-service.

While these results are uplifting, it still leaves substantial segments of our sample engaging in bad security habits: more than one-half (55%) admit to sending clear-text sensitive data in their emails. 38% will store personal data, including sensitive information, in cloud-based services, and an alarming 61% re-use the same password across multiple websites.

In trying to understand some of these bad behaviors, we observed a connection between online users assuming their data security is “taken care of” in the cloud and decreased willingness to take simple preventatives measures. For example, those who assume that their providers are protecting or controlling access to their data--high-privacy expectations—are more than twice as likely to send personal data in their email as clear text compared to those who assume there’s little protection offered by their providers—low privacy expectations.

The privacy expectations of our respondents differ greatly—perhaps based on their varying experiences with online service. It is clear, though, that in an ideal world they would do business only with highly-secure services. While the security environment can be challenging for consumers, there are a few simple measures, which we discuss in the conclusion, that can be taken to protect private data from being potentially exposed to unauthorized parties, as well as hackers and other cyber thieves.

4Privacy and Trust Report

METHODOLOGYIn April 2013, Varonis introduced a survey consisting of 10 question related to data privacy and security. The survey was published online and collected 200 responses from 184 different companies.

The survey’s questions were constructed to:

• Gain insight into consumers’ awareness of online security and privacy

• Determine consumers data security behaviors across several areas, including mobile and cloud

• Understand the level of data security and privacy protections users expect and want from their service providers

5Privacy and Trust Report

WHO RESPONDEDOur responses—over 200-- were evenly split between under-1000 employee (49%) and enterprise-class organizations (51%). In the survey, we also asked for departmental information, and learned that almost three-fourths (71%) came from IT.

We initially thought this heavier IT weighting would be an important factor in this survey, but that turned out not to be the case. We take up our analysis of results in the next two sections.

ORGANIZATION SIZE

<500

500-1000

1001-5000

5001-10000

10001-50000

>50000

34%

9%

10%

14%

19%15%

WHAT AREA OF THE ORGANIZATION DO YOU WORK IN?

01020304050607080

Sale

s

R&

D

Oth

er

Mar

ketin

gITHR

Acc

ount

ing

3% 7%

71%

2%8% 4% 8%

6Privacy and Trust Report

CONSUMER SECURITYBEHAVIORSWe asked a series of questions about personal security habits involving passwords, emailing of personal information, and awareness of online privacy policies. There is good news here: we discovered that our respondents would score fairly high on any security report card.

DO YOU READ MOST OF THE EULA, TOS, OR PRIVACY POLICY OF INTERNET SERVICES?

Yes, I read them but don’t usually understand them

Yes, I read them and make sure I understand them

No, I rarely read them

No, I never read them

16%

21%

8%

55%

With the general public better informed about data security, perhaps it shouldn’t be that surprising. For example, it’s not unusual to find in the mainstream media articles about what online services are doing with legitimately collected data and even explanations of how hackers exploit their illegal data gains—subjects that were once more at home in the pages of the tech publications.2

We found that 71% claim to make the extra click that brings them to the fine-print of online end-user-license agreements and terms of service. Almost three out of four report viewing the nitty-gritty text, with a mere 16% admitting to not understanding the legalese.

After reading (or pretending to read) the details, our survey population is also selective about what they will store in their cloud-services, for example Dropbox or Evernote: 32% won’t trust the cloud enough to keep personal data of any kind. Of the remainder, 38% will store personal data, including sensitive information, and 16% say that they’ll keep company data outside the corporate intranet.

7Privacy and Trust Report

DO YOU STORE ANY DATA ON INTERNET SERVICES SUCH AS DROPBOX?

Yes, I use to store personal data

Yes, I use it to store company data

Yes, but only personal data that isn’t sensitive

No, I don’t store data on the Internet

38%32%

14%16%

For mobile users, the security awareness level is very high: 77% say they have at least implemented password protection on their phones. When using email, an impressive 47% have gone on record to say they have implemented multi-factor authentication.

DO YOU PASSWORD PROTECT YOUR MOBILE PHONE?

Yes

No

77%

23%

Even the most tech savvy consumer may not know what this means. Multi-factor authentication involves not only providing a password to prove your identity but also showing that you have access to something else—usually a cell phone or other device. The service provider will send a verification code to the cell phone, which is then entered on the login form. In this scenario, hackers who’ve managed to snag a password will then be blocked by this second validation check.

Finally, when using their email, just 33% claim to have never sent unencrypted personal data over the Internet. However, this still leaves a large group (55%) that has sent sensitive data in clear-text form in their electronic correspondence and a smaller segment (12%) that is not even sure of what they’ve sent in their email.

While the responses overall indicate good security habits, it still leaves significant sub-groups that are engaging in risky security behaviors: not password-protecting their phones (23%), storing company data in the cloud (16%), and not reading web services agreements (8%).

8Privacy and Trust Report

We note there is one large chink in this sample’s security armor: their willingness to use the same password on multiple sites (61%). It’s not unusual behavior for many consumers, despite being warned against it, but for a group that otherwise had high security marks, this really stands out. Hackers, of course, are in the ready to exploit this carelessness—once they’ve grabbed a single password, they have the keys to a user’s data kingdom.

DO YOU EVER USE THE SAME PASSWORD ACROSS MULTIPLE SITES?

I use a password manager

I never use the same password

I frequently use the same password

I always use the same password

45%

6%

33%

16%

Is it possible that the overweighting of IT in this sample may have skewed results? We would assume IT takes more precautions in their online interactions. But after comparing IT against the other departments in the survey, we couldn’t find significant differences in the breakdown of responses: answer patterns for IT were similar to non-IT respondents.

EULA VS DEPARTMENT

0

20

40

60

80

100

120

Yes, I read them but don’t usually understand them

Yes, I read them and make sure I understand them

No, I rarely read them

No, I never read them

non-ITIT8%22%

56%

14%

9%19%

52%

21%

9Privacy and Trust Report

PRIVACY ASSUMPTIONS AND TRUSTIn one question, we specifically asked what users thought happened with the data they provided to organizations. Respondents could choose from “I think most businesses encrypt data”, “I think most businesses restrict who has access to my data”, along with other answers in order of decreasing data security and privacy expectations.

05

1015

2025303540

I try not to think about it

I don't think they protect my data at all

I think most businesses do some encryption, access control and access monitoring, but need to do more

I think most businesses monitor who uses my data

I think most businesses restrict who has access to my data as tightly as possible

I think most businesses encrypt my data wherever possible

I think most businesses encrypt my data wherever possible

I think most businesses restrict who has access to my data as tightly as possible

I think most businesses monitor who uses my data

I think most businesses do some encryption, access control and access monitoring, but need to do more

I don't think they protect my data at all

I try not to think about it

34% 35%

27%

39%

9% 9%

Overall, the responses tell us that our sample has high expectations, with just a small segment (18%) that has limited or no trust in their providers.

This suggests a different way to slice the data. We categorized these answers into three larger groupings—high, medium, and low privacy expectations — and then used this to segment other survey answers. This approach may explain some of the risky behaviors in the previous section. One representative comparison – privacy expectations vs. sending unencrypted data — is shown below.

Those who assume that organizations are offering privacy and data protections are more than twice as likely to send their personal data unencrypted compared to those with low or no expectations (68% vs. 30%). There are similar patterns present for other answers –see the appendix. We interpret this to mean that when you believe that security is “taken care of,” there’s less motivation to initiate basic security measures.

10Privacy and Trust Report

PRIVACY EXPECTION VS SENDING UNENCRYPTED DATA

0

20

40

60

80

100

No

Yes

Don’t Know

LowMiddleHigh10%

68%

22%

8%

60%

32%

21%

30%

48%

How important is trust in a service provider?

We specifically asked our sample whether they would be more willing to do business with companies that protect data. The answer was nearly unanimous: 97% answered yes, and 54% were even willing to pay a premium.

Trust is obviously of overriding importance for consumers. In practice, though, we have our experiences with our providers and then develop privacy expectations. For a significant subgroup in our survey, security is something that is better done by others than by themselves.

11Privacy and Trust Report

CONCLUSIONOur survey provides support for the view that consumers are security savvy and they are aware of the privacy aspects of putting personal data online. Technology is so enmeshed in our daily lives that knowing security basics is considered common knowledge—e.g., don’t use any part of your name in a password—that you’re expected to know.

We also found that there are some troubling bad habits. Far too many are using the same password across multiple websites or applications thereby putting personal information in danger of being breached. And too many are also breaking a basic security taboo: sending unencrypted sensitive information in emails.

However, it doesn’t take much to be a good citizen in the online world. By putting a few simple controls in place, individuals and businesses alike can drastically step up the defenses for guarding their personal information.

Without the benefit of an IT department, individual consumers will need to take more control of their security destiny. These simple rules will go a long way towards preventing or reducing the risk of personal data loss:

1. Know where your personal information is, who can access it, and understand what service providers can do with your data without opt-out consent.

2. Never send unencrypted PII or other sensitive data – especially account numbers, credit card and social security numbers, and health information—in an email

3. Pick strong passwords—mix of upper and lower case, numeric, and special symbols—and use a unique password for each site

For businesses, these best practices and tips will resonate with IT departments:

4. Put basic controls around your sharable, cloud-based data by applying the 4 A’s:

• Authentication: verify anyone accessing an account is who they claim to be – multi-factor is better

• Authorization: make sure employees only have access to the data they need

• Auditing: all access must be monitored

• Alert: analyze activity for potential abuse

5. Make sure employees use protected, authorized platforms

6. Focus on the balance between productivity and security—employees need a modern work experience that doesn’t put organizational data at risk

1 FTC Settles Privacy Issue at Facebook

2 Criminals Exploit Linkedin Breach for Phishing Attack

12Privacy and Trust Report

APPENDIXThe following are survey results and other charts referenced in the report.

DO YOU HAVE MULTI-FACTOR AUTHENTICATION ENABLED FOR YOUR PERSONAL EMAIL

Yes

What’s multifactor authentication?

No

47%31%

22%

PRIVACY EXPECTATION VS CLOUD STORAGE

0

20

40

60

80

100

No, I don't store data on the Internet

Yes, but only personal data that isn’t sensitive

Yes, I use it to store company data

Yes, I use to store personal data

LowMiddleHigh

44%

22%

10%

24%

35%

9%

24%

32%

27%

12%

12%

48%

HAVE YOU EVER SENT UNENCRYPTED PERSONAL DATA?

Yes

No

Don't Know55%

12%

33%

13Privacy and Trust Report

ABOUT VARONISVaronis is the leading provider of software solutions for unstructured, human-generated enterprise data. Varonis provides an innovative software platform that allows enterprises to map, analyze, manage and migrate their unstructured data. Varonis specializes in human-generated data, a type of unstructured data that includes an enterprise’s spreadsheets, word processing documents, presentations, audio files, video files, emails, text messages and any other data created by employees. This data often contains an enterprise’s financial information, product plans, strategic initiatives, intellectual property and numerous other forms of vital information. IT and business personnel deploy Varonis software for a variety of use cases, including data governance, data security, archiving, file synchronization, enhanced mobile data accessibility and information collaboration.

Free 30-day assessment:WITHIN HOURS OF INSTALLATION

You can instantly conduct a permissions audit: File and folder access permissions and how those map to specific users and groups. You can even generate reports.

WITHIN A DAY OF INSTALLATION

Varonis DatAdvantage will begin to show you which users are accessing the data, and how.

WITHIN 3 WEEKS OF INSTALLATION

Varonis DatAdvantage will actually make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs.

1414Privacy and Trust Report

WORLDWIDE HEADQUARTERS

1250 Broadway, 31st Floor, New York, NY 10001 T 877 292 8767 E sales@varonis.com W www.varonis.com

UNITED KINGDOM AND IRELAND

Varonis UK Ltd., Warnford Court, 29 Throgmorton Street, London, UK EC2N 2AT T +44 0207 947 4160 E sales-uk@varonis.com W www.varonis.com

WESTERN EUROPE

Varonis France SAS 4, rue Villaret de Joyeuse, 75017 Paris, France T +33 184 88 56 00 E sales-france@varonis.com W sites.varonis.com/fr

GERMANY, AUSTRIA AND SWITZERLAND

Varonis Deutschland GmbH, Welserstrasse 88, 90489 Nürnberg T +49 (0) 911 8937 1111 E sales-germany@varonis.com W sites.varonis.com/de