That ‘insider threat’ isn’t just apocryphal – study after study reveals that a company’s own employees are a serious threat to its security. 'The Human Factor in Data Protection' (Ponemon/Trend Micro) noted that “According to 78 percent of respondents, their organizations have experienced a data breach as a result of negligent or malicious employees or other insiders.” In general it is believed that negligent behavior is a more common threat than malicious behavior.
The most usual security ‘device’ used to control staff behavior is the company security policy reinforced by staff awareness training. The unknown factor is whether – and to what extent – this is effective. Today Safetica has published the results of a new survey it commissioned through TNS Omnibus into user behavior at work. The purpose was to analyze staff attitudes toward company policy, and to see if knowledge of that policy actually modified their behavior.
A total of 663 British employees were posed a series of behavioral questions and asked to specify whether they knew it was unrelated to work, or whether they knew it was against company policy. The behaviors ranged from printing personal files on company printers, to looking for alternative employment and taking company files home.
Thirty-two percent of respondents had used company printers to print their own files knowing it was not work-related, while only 24% did so knowing it was against company policy. A similar number used social media, while 22% did so against company policy. Twenty-three percent looked for alternative employment while at work, while 16% did so knowing they should not. A fewer number actually took files home: 12% did so, while only 7% did so in the knowledge that it was contrary to the security policy.
Safetica sees one positive finding: the fewer numbers who indulge in ‘undesirable’ activities when they know it is contrary to company policy indicates that a formal policy does at least have some effect. More worryingly, it notes, “a relatively large percentage (up to one in four employees) engage in undesirable activities in spite of being aware of policies that prohibit them.”
The findings illustrate that breaking company policy is considered relatively acceptable, and that security implications may not have been considered. Those implications, warns Safetica, “range from the outgoing (public facing) threat of making inappropriate posts on social media, which potentially harm the company’s productivity and reputation, to the incoming threat of possible malware infection of company computers and networks caused by clicking unsafe links.”
Safetica is most concerned, however, with the number of staff willing to take files home against company policy. “Approximately one in ten people, on average, admit to having no qualms about doing that. In a company with 1000 employees, that means that up to 100 people are capable of walking away with sensitive company documents, which is a risk no company should take lightly.”