In addition, 22% of US respondents and 29% of Australian respondents said they would feel comfortable doing something with sensitive data as well. SailPoint's Market Pulse Survey surveyed slightly more than 1,600 employees in the United States, Great Britain and Australia.
Further, 10% of American, 12% of Australian, and 27% of British employees with access admitted they would forward electronic files to a non-employee, and 9% of Americans, 8% of Australians and 24% of Britons of these same groups admitted they would copy electronic data and files to take with them when they leave a company.
“People are a bit casual about sensitive data and they shouldn’t be”, said Jackie Gilbert, vice president of product management and marketing at SailPoint.
SailPoint's survey also questioned if an employee would feel comfortable profiting from proprietary information by selling it on the internet. While only 5% of American and 4% of Australian employees with access who answered the question selected this response, an alarming 24% of British employees with access said they would feel comfortable selling data.
“That is a pretty big difference [between British and American/Australian employees]…There are certain environmental factors that influence this. It could be partly cultural. I think that in a period of recession with frequent layoffs, people have much shorter tenures at companies than they used. The notion of employee loyalty is a lot weaker than it used to be….You could speculate that the UK has been harder hit by the recession”, Gilbert told Infosecurity.
In addition to surveying employees about access to sensitive data, the SailPoint Market Pulse survey also asked them about accessing corporate date through the use of mobile devices. The results highlight the importance of automatically de-provisioning employees, given the proliferation of mobile devices in the workforce. Specifically, 15% of American, 29% of British and 18% of Australian employees use their mobile devices to access their company's private intranet or portals.
Gilbert recommended that companies adopt a layered security approach to combat insider threats. “The tension between giving access to sensitive data in order for people to do their jobs and trying to control it is something that every company faces. You really do need layered security”, she said.
“Step one would be very explicit training on policies stressing that it is absolutely illegal or inappropriate to forward data or to take data with you when you leave a company. Step two…would be to strictly limit people’s access based on a need to know and need to perform job duties. That might sound easy, but it is difficult to do at large companies with lots of applications and thousands of employees…Step three would be to monitor access on an ongoing basis”, Gilbert said.