Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Insecure Employees, Like Serial Killers, Look Just Like Everyone Else

If you’re like me, you have an image in your head of what the oblivious, irresponsible, security-insecure employee looks like.

It's that guy who leaves his company passwords on a post-it note on the computer monitor, for instance. Or the lady in the next cube who fixes her settings so she never has to log-in to Salesforce—or the unified communications system—or anything else, if she can help it. Or, the dude checking his personal email from inside the corporate network, forwarding on chain letters to co-workers and cat videos from “some guy who sent it to me on Facebook.”

But prepare for your image to be blown-- Like serial killers, the people that pose the most threat just seem like normal folks.


New research out from Bay Dynamics shows that in approximately 90% of incidents where employees leak sensitive data outside an organization, the offenders exhibit normal employee behavior as far as their peers and department are concerned.

Only about approximately a tenth of data loss prevention incidents involve users who can be identified as deliberately taking shortcuts and exhibiting signs of being idiots.

In other words, the classic “who needs a new password?” scofflaws are the exceptions.

Approximately a fifth of incidennts are caused by an uneducated workforce, but being cueless doesn’t necessarily mean, say, dialing up porn at lunch and clicking on a bunch of ads.

And how’s this for human nature: When called out by their employer, close to 80% of users who are overtly exhibiting risky behavior (i.e. indulging their gambling addiction while listening to a conference call—which is discovered via the telltale exclamations of “yeah baby!” percolating through his comments), actually go on to make changes so that they are more security-conscience.

What do you think? Could you identify risky employees by simply paying more attention?

What’s Hot on Infosecurity Magazine?