Employees Willing to Leak and Sell Corporate Access
Almost a third of European employees have sent unauthorized information to a third party.
According to research of 4000 people in Europe, 29% of respondents have “purposefully” sent information out of their company, while 15% have taken “business critical information with them from one job to another”. Over half (59%) planned to use it in their next job.
Neil Thacker, deputy CISO at Forcepoint, said that the choice to steal information is about responsibility and accountability from a cultural perspective. “Once [an employee] leaves, their loyalty has gone and when loyalty is gone, we do see an essence of data leakage and storing.”
The research also found that 14% of respondents would sell corporate log-ins to an outsider, and 40% of those would do so for less than £200. Perhaps this is because 22% either do not believe data breaches incur a cost to their employers, or were unsure whether they would.
Mike Smart, product and solutions director at Forcepoint, said: “Research has consistently shown that breaches caused by employees are among the most damaging in terms of their financial and reputational impact. Organizations that ignore the potential security risks that can be caused by employees and other insiders miss an opportunity to strengthen their security posture and protect their companies more broadly.”
In an email to Infosecurity, Oliver Pinson-Roxburgh, EMEA director at Alert Logic, said: “In my experience, we never started a social engineering exercise with bribes as they would always alert security to our actions and would be sure to get us rumbled. We always made it through in other means before getting people to pay.
“That’s not to say the insider threat isn’t real; just that the attackers have loads of other more covert ways before going this route. It also really depends on the organization though – in more challenging environments, getting to someone inside the organization would always be an option and that would start with profiling the correct person to get you best access. This is also maybe where the respondents are going with this, which is ‘what could they possibly do with my access?’ I for sure would not want any of my employees considering that game of Russian roulette.”
Carl Leonard, principal security analyst at Forcepoint, added that the sensitivity of the breach depends on what the data is – personally identifiable information, credentials, business plans. “People’s behavior changes over time and you adjust your risk for doing certain things, and in the last month of [someone’s employment] you don’t let them download or access the source code repository and businesses have not got the know how to do that,” he said.
Pinson-Roxburgh said that overall, people want to do their jobs well and if they meet hurdles they will jump over them or pass under them – whichever is easier.
“Educate people to be diligent, limit their ability to make bad decisions and be able to detect an incident and be ready to respond,” he said. “I have also seen people just not understand their processes and procedures, and end up using unsafe online tools to do their job and inadvertently leak information. I am sure this is often a time pressure issue, or process gets in the way and they cannot understand the risk or impact on the business. Leaders need to take a stand and lead by example, drive good practice and behavior around security of data!”
Source: Information Security Magazine