Two In Five Office Workers Steal Sensitive Data

More than two in five office workers admit to taking sensitive data with them to a new employer when they leave a job, according to global information security company Cyber-Ark, while 26 percent said they would pass on company information to get friends or family members a job.

The survey of 600 office workers in London and New York aimed to examine the impact of the recession on ethics and security within the workplace. While 85 percent of the respondents admitted to knowing that downloading corporate information from their employer was illegal, a quarter of those surveyed said they would take the data regardless of the penalties.

When asked the reason for these thefts, 52 percent said they would do so “just in case” the data were to prove useful or advantageous in the future, while 28 percent would use the data to negotiate their new position and, 28 percent would consider using the data as a tool in their new job.

The survey found that the information most frequently targeted is customer and contact details, followed by access and password codes. Other information that is coveted includes product information, plans and proposals. Sixty percent of respondents said they considered it easy to steal information from under their bosses’ noses, often using a portable storage device such as a memory stick, USB flash drive or CD.

The findings suggest that that lack of job security during the recession has led to the security of sensitive information in many companies being compromised. Seventy percent of respondents said they would use their own IT access rights to find information about forthcoming redundancies. If they couldn’t find out the information on their own, 24 percent said they would approach a colleague in IT to get the inside information.

“Many workers are willing to do practically anything to ensure job security or make themselves more marketable – including committing a crime,” said Adam Bosnian, vice president of products and strategy at Cyber-Ark. “Organisations must be willing to make improvements to how they monitor and control access to databases, networks and systems – even by those privileged users who have legitimate rights.”

The news follows the passing of two new data breach notification laws in the US, requiring commerce agencies to notify anyone whose personal information may have been accessed in a security breach. The Personal Data Privacy and Security Act establishes guidelines for performing risk assessments and vulnerability testing, and controlling and logging access to sensitive information; the Data Breach Notification Act requires US agencies and corporations involved in interstate commerce to notify anyone whose personal information either was or may have been accessed or acquired in a breach.

“According to the Privacy Rights Clearinghouse, more than 330 million records containing sensitive personal information have been involved in data security breaches since 2005,” said Symantec CEO Enrique Salem at the time. “As such, we believe that the United States urgently needs to pass a national data breach law.”

There has also been a recent spate of data breaches in the UK. In early November the Rural Payments Agency lost tapes containing payment and banking details of 100,000 farmers in the UK. There have also been attempted hacker attacks on both the Guardian and Yahoo jobs websites with, in the case of the Guardian, the security of up to half a million users being compromised.

The recession has also been blamed for a doubling of data loss incidents, where cost-cutting has meant users make more mistakes.