Insecure Employees, Like Serial Killers, Look Just Like Everyone Else

If you’re like me, you have an image in your head of what the oblivious, irresponsible, security-insecure employee looks like.

It's that guy who leaves his company passwords on a post-it note on the computer monitor, for instance. Or the lady in the next cube who fixes her settings so she never has to log-in to Salesforce—or the unified communications system—or anything else, if she can help it. Or, the dude checking his personal email from inside the corporate network, forwarding on chain letters to co-workers and cat videos from “some guy who sent it to me on Facebook.”

But prepare for your image to be blown-- Like serial killers, the people that pose the most threat just seem like normal folks.


New research out from Bay Dynamics shows that in approximately 90% of incidents where employees leak sensitive data outside an organization, the offenders exhibit normal employee behavior as far as their peers and department are concerned.

Only about approximately a tenth of data loss prevention incidents involve users who can be identified as deliberately taking shortcuts and exhibiting signs of being idiots.

In other words, the classic “who needs a new password?” scofflaws are the exceptions.

Approximately a fifth of incidennts are caused by an uneducated workforce, but being cueless doesn’t necessarily mean, say, dialing up porn at lunch and clicking on a bunch of ads.

And how’s this for human nature: When called out by their employer, close to 80% of users who are overtly exhibiting risky behavior (i.e. indulging their gambling addiction while listening to a conference call—which is discovered via the telltale exclamations of “yeah baby!” percolating through his comments), actually go on to make changes so that they are more security-conscience.

What do you think? Could you identify risky employees by simply paying more attention?

What’s Hot on Infosecurity Magazine?