New research from Symantec claims half of UK office workers are actively ignoring the risks posed by being careless with company data. The study of 1,000 UK office workers has revealed that employees are bringing ‘risk-taking’ behaviour into the workplace. It seems workers are playing fast and loose with company data because they believe their good intentions outweigh the risks.
According to the study, 59% of the respondents describe themselves as ‘risk-takers’, rather than ‘cautious’ (33%). Furthermore, while 54% of the workers questioned said they were more cautious with their online behaviour at work than at home, this had not deterred 54% of them from removing company information from the workplace without their employer’s permission.
This is despite acknowledging in the same survey that removing corporate information was the riskiest thing they could do other than losing a company laptop or mobile phone.
Perhaps unsurprisingly, when removing this information from company servers, workers chose to do so via insecure means. When questioned, 43% had uploaded files to staging sites, 36% e-mailed them to webmail accounts or third parties and 32% wrote data to a USB stick, MP3 player or external hard drive.
When asked why they took such risks with company information, a significant proportion of respondents thought they were doing so for legitimate reasons. 42% of workers said they wanted to use this data to work from home, and 28% used it during offsite meetings.
‘Illegitimate’ uses of corporate data were less widespread, with 27% admitting they took information to a new job and only 6% to disclose it to a third party. In light of recent leaks of sensitive information by WikiLeaks, awareness is growing around the more malicious insider, yet those with more well-meaning intentions can equally cause harm to an organisation’s brand, impact customer confidence and result in financial penalties.
Symantec said it undertook this research to investigate the level of risk posed to businesses by workers who inadvertently harm an organisation, even when their actions are well intended. David S Wall, Professor of Criminology at Durham University used this data in a paper exploring the issue.
He said: “These findings point to the concept of a negligent insider – those employees who have legitimate access to an IT system and who might cut corners to make life easy for themselves. During the course of their work they will accept organisational goals, but only as far as they do not encumber them with much more additional work, or can be used to lighten their load. They are a threat to the business but require education, not discipline in the first instance.”
Jamie Cowper, principal product marketing manager at Symantec, concluded: “We’re all well aware of the dangers posed by workers determined to make mischief with company information – WikiLeaks has reinforced that particular danger. However, the risk created by employees who walk away with a copy of a confidential database attached to their car keys because they wanted to work on it over the weekend must also be taken into consideration.
“Our research shows that workers in the UK are deeply confused by this issue. They know they’re taking serious risks with sensitive information, but seem to think either that company security policies are a hindrance to their jobs or that they can get away with it as long as they’re careful.
“It’s a classic case of someone believing that it’s okay to do the wrong thing as long as it’s for the right reasons. The findings highlight just how vital it is for the UK’s IT departments understand the importance of DLP technologies and to work with employees to explain not only what an organisation’s security policy is but why it matters.”