Reading, UK – January 27 2011
- A study of 1,000 UK office workers*, commissioned by Symantec to explore why important corporate information is routinely being lost, has revealed that employees are bringing ‘risk-taking’ behaviour into the workplace. UK workers are playing fast and loose with company data because they believe their good intentions outweigh the risks.
According to the study, 59 percent of the respondents describe themselves as ‘risk-takers’, rather than ‘cautious’ (33 percent). Furthermore, while 54 percent of the workers questioned said they were more cautious with their online behaviour at work than at home, this had not deterred 54 percent of them from removing company information from the workplace without their employer’s permission. This is despite acknowledging in the same survey that removing corporate information was the riskiest thing they could do other than losing a company laptop or mobile phone.
Perhaps unsurprisingly, when removing this information from company servers, workers chose to do so via insecure means. When questioned, 43 percent had uploaded files to staging sites, 36 percent emailed them to webmail accounts or third parties and 32 percent wrote data to a USB stick, MP3 player or external hard drive.
When asked why they took such risks with company information, a significant proportion of respondents thought they were doing so for legitimate reasons. 42 percent of workers said they wanted to use this data to work from home, and 28 percent used it during offsite meetings. ‘Illegitimate’ uses of corporate data were less widespread, with 27 percent admitting they took information to a new job and only 6 percent to disclose it to a third party. In light of recent leaks of sensitive information by WikiLeaks, awareness is growing around the more malicious insider, yet those with more well-meaning intentions can equally cause harm to an organisation’s brand, impact customer confidence and result in financial penalties.
Symantec undertook this research to investigate the level of risk posed to businesses by workers who inadvertently harm an organisation, even when their actions are well intended. David S Wall, Professor of Criminology at Durham University used this data in a paper exploring the issue. He says: “These findings point to the concept of a negligent insider – those employees who have legitimate access to an IT system and who might cut corners to make life easy for themselves. During the course of their work they will accept organisational goals, but only as far as they do not encumber them with much more additional work, or can be used to lighten their load. They are a threat to the business but require education, not discipline in the first instance.”
Jamie Cowper, principal product marketing manager at Symantec, concludes: “We’re all well aware of the dangers posed by workers determined to make mischief with company information – WikiLeaks has reinforced that particular danger. However, the risk created by employees who walk away with a copy of a confidential database attached to their car keys because they wanted to work on it over the weekend must also be taken into consideration.
“Our research shows that workers in the UK are deeply confused by this issue. They know they’re taking serious risks with sensitive information, but seem to think either that company security policies are a hindrance to their jobs or that they can get away with it as long as they’re careful. It’s a classic case of someone believing that it’s okay to do the wrong thing as long as it’s for the right reasons. The findings highlight just how vital it is for the UK’s IT departments understand the importance of DLP technologies and to work with employees to explain not only what an organisation’s security policy is but why it matters.”
Symantec advises organisations take the following seven steps to guard against information loss:
- Assess risks
- Identify and classify confidential information
- Develop information protection policies and procedures
- Deploy data loss prevention technologies that enable policy compliance and enforcement
- Communicate and educate stakeholders to create a compliance culture
- Integrate information protection practices into businesses processes
- Audit and hold stakeholders accountable