Employees are prepared to steal company data!
In a previous post, I had talked about two employees who are charged with having allegedly gained access to their former employer’s network even though they had left the company a couple of years before.
This week a former employee with United Way in Miami was sentenced to 18 months in jail and fined $50,000 for accessing his former employer’s network and deleting files from the servers as well as putting a few spokes in the company’s telephone voice mail system.
There seem to be a growing trend among employees – disgruntled or not, current or past – who believe that they can do what they want with their employers’ data. Two separate studies this week revealed that although employees know that it is illegal to steal or tamper with company data, they are still prepared to do it nonetheless.
The two studies also found that companies are not doing much about the problem, even though they are aware that employees are a major threat to their data. Earlier this year, GFI conducted a survey in the UK, US and France and the results in all three countries showed that internal threats are being given very little priority with less than 20% of respondents stating that internal threats are a concern.
The statistics from the latest studies complement the findings of another survey by the Ponemon Institute earlier this year. Four in 10 employees admit to having taken sensitive data with them to a new position while one third said they would share sensitive data with friends or family in order to help them get a new job. Nearly half said they would steal data if they were dismissed tomorrow from their job.
So a good chunk of the workforce is willing to steal data to further their goals and position; thus you would expect the data owners to be a bit concerned. But no, employers appear to have their heads buried as deep as possible in the sand. They know it is happening; they know they are at risk and still they are not doing anything about it. Great news and a real confidence booster.
With so many channels of opportunity for data leakage, this attitude is baffling.
Here are a few of the most obvious methods:
- Use of insecure USB memory sticks
- Use of web-based personal email
- Applications downloaded from the Internet
- Sharing passwords with co-workers or friends
- Mobile devices, such as laptops, PDAs, smart phones etc
Most organizations will tell you that corporate data is extremely important and that secure data is not something to ignore or treat lightly. Securing data calls for a combination of measures using technology and security policies. There are some basic rules that all organizations must follow to secure their data and these include:
Monitor and manage the use of portable storage devices by employees. If you don’t know what devices are connected to the network and by whom, the risk of data leakage is high.
Limit access to those who need it. Data categorization and a thorough audit of access permissions is a must. You need to know who had access to data, why that individual has been granted access and whether that person is a single point of failure (e.g. only an administrator has the password to the customer databases).
Use content filtering software. Scanning outbound corporate email is a must to prevent business confidential attachments – such as customer lists, financial details, marketing plans, from being sent outside of the organization. Access to web-based email accounts should be banned because these are insecure and increase the risk of data leakage and other vulnerabilities. Files can be transferred using web-based email without detection.
Know where the data is. Organizations need to have complete control over their data and how it is transferred within and outside the building.
Organizations cannot continue to ignore the obvious. Yet with survey after survey showing that they don’t really care, is it surprising that employees are becoming more confident that they won’t be caught?
I don’t think so.
If businesses won’t do anything, someone else will! The state of Massachusetts is a case in point. As of March 2010 businesses will have to comply with state regulations that make it harder for confidential and sensitive data to be stolen. The regulations were drafted to counter a breach similar to what happened at TJX but should also help to counter any insider attempts at stealing data.