Symantec says employees take security risks every day

The research into workers' risky strategies was carried out by David Wall, Professor of Criminology at Durham University, who found that 43% of respondents had uploaded files to staging sites, whilst 36% admitted they had emailed them to webmail accounts or third parties.

Professor Wall and his team also found that 32% of the 1000 UK office workers they surveyed had written company data to an insecure USB stick, MP3 player or external hard drive.

Interestingly, 59% of respondents described themselves as "risk-takers", rather than "cautious" (33%).

When asked why they took such risks with company information, a significant proportion of respondents thought they were doing so for legitimate reasons.

42% of workers said they wanted to use this data to work from home, and 28% used it during offsite meetings. 'Illegitimate' uses of corporate data were less widespread, with 27% admitting they took information to a new job and only 6% to disclose it to a third party.

According to Professor Wall, these findings point to the concept of a negligent insider – those employees who have legitimate access to an IT system and who might cut corners to make life easy for themselves.

"During the course of their work they will accept organisational goals, but only as far as they do not encumber them with much more additional work, or can be used to lighten their load", he said.

"They are a threat to the business but require education, not discipline in the first instance", he explained.

Commenting on the report – Organisational Security and the Insider Threat: Malicious, Negligent and Well-Meaning Insiders' – Jamie Cowper, principal product marketing manager at Symantec, noted that most people are well aware of the dangers posed by workers determined to make mischief with company information.

"However, the risk created by employees who walk away with a copy of a confidential database attached to their car keys because they wanted to work on it over the weekend must also be taken into consideration", he said.

To counter the issues raised in the research, Cowper recommends that IT security professionals should adopt a seven-step process, starting off with as assessment of risks, followed by the need to identify and classify confidential information.

IT managers should then, he says, develop information protection policies and procedures, and then deploy data loss prevention technologies that enable policy compliance and enforcement.

The fifth stage, he went on to say, is to communicate and educate stakeholders to create a compliance culture, and then integrate information protection practices into businesses processes.

The final stage, he adds, is to audit and hold stakeholders accountable.

What’s hot on Infosecurity Magazine?