More than two in five office workers admit to taking sensitive data with them to a new employer when they leave a job, according to global information security company Cyber-Ark, while 26 percent said they would pass on company information to get friends or family members a job.
The survey of 600 office workers in London and New York aimed to examine the impact of the recession on ethics and security within the workplace. While 85 percent of the respondents admitted to knowing that downloading corporate information from their employer was illegal, a quarter of those surveyed said they would take the data regardless of the penalties.
When asked the reason for these thefts, 52 percent said they would do so “just in case” the data were to prove useful or advantageous in the future, while 28 percent would use the data to negotiate their new position and, 28 percent would consider using the data as a tool in their new job.
The survey found that the information most frequently targeted is customer and contact details, followed by access and password codes. Other information that is coveted includes product information, plans and proposals. Sixty percent of respondents said they considered it easy to steal information from under their bosses’ noses, often using a portable storage device such as a memory stick, USB flash drive or CD.
The findings suggest that that lack of job security during the recession has led to the security of sensitive information in many companies being compromised. Seventy percent of respondents said they would use their own IT access rights to find information about forthcoming redundancies. If they couldn’t find out the information on their own, 24 percent said they would approach a colleague in IT to get the inside information.
“Many workers are willing to do practically anything to ensure job security or make themselves more marketable – including committing a crime,” said Adam Bosnian, vice president of products and strategy at Cyber-Ark. “Organisations must be willing to make improvements to how they monitor and control access to databases, networks and systems – even by those privileged users who have legitimate rights.”
The news follows the passing of two new data breach notification laws in the US, requiring commerce agencies to notify anyone whose personal information may have been accessed in a security breach. The Personal Data Privacy and Security Act establishes guidelines for performing risk assessments and vulnerability testing, and controlling and logging access to sensitive information; the Data Breach Notification Act requires US agencies and corporations involved in interstate commerce to notify anyone whose personal information either was or may have been accessed or acquired in a breach.
“According to the Privacy Rights Clearinghouse, more than 330 million records containing sensitive personal information have been involved in data security breaches since 2005,” said Symantec CEO Enrique Salem at the time. “As such, we believe that the United States urgently needs to pass a national data breach law.”
There has also been a recent spate of data breaches in the UK. In early November the Rural Payments Agency lost tapes containing payment and banking details of 100,000 farmers in the UK. There have also been attempted hacker attacks on both the Guardian and Yahoo jobs websites with, in the case of the Guardian, the security of up to half a million users being compromised.
The recession has also been blamed for a doubling of data loss incidents, where cost-cutting has meant users make more mistakes.
US finalises $4.7bn award to Samsung Electronics, $1.6bn to Texas Instruments to boost domestic chip…
OpenAI begins safety testing of new model o3 that uses 'reasoning' process to ensure reliability…
US Commerce Department reportedly adding China's Sophgo to trade blacklist after TSMC-manufactured part found in…
Amazon staff in seven cities across US go on strike after company fails to negotiate,…
Two US senators ask president Joe Biden to delay TikTok ban by 90 days after…
Reporters Without Borders calls on Apple to remove AI notification summaries feature after it generates…
View Comments
Sadly it comes as little surprise that so many see the threat of employee fraud growing due to the economy. However, the research highlights a concerning issue - full-time employees being seen as the highest risk segment.
Full-time employees are often given access privileges to systems when needed, but those privileges are rarely withdrawn when no longer necessary, thus heightening risk and temptation. Even worse, some companies don't govern user accounts and access rights to applications and data at all. They simply give employees carte blanche to access all computer systems whatever their role, rather than ensuring that only the right people have the right access to the right resources.
It is important to define and implement policies concerning user access rights to applications and data; create user accounts on various target systems with the appropriate access rights; modify user access rights to accounts over time as required by changing business needs; and disable accounts when users are no longer authorised to access them. Taking it a step further and automating this provisioning makes it even easier to consistently ensure that only authorised users have appropriate access to sensitive data.
The recent stories surrounding data theft reinforce the need for companies to have a sound Information Assurance strategy. This needs to comprise of effective policy which is reinforced by technology. The correct controls need to be in place from the start - trying to put these in place after an employee has been sacked and stolen data is like bolting the barn door after the horse has bolted. Whenever an organisation hires a new employee, there needs to be education about the data policy, and continual reinforcement of this to ensure that employees are updated on any policy changes. Organisations need to make sure that strategies are in place across the entire employee lifecycle, and ensure that these are effectively communicated, so prevent potentially catastrophic data loss.