Most companies know they have information that is vital to their survival and that could damage the company if it fell into the wrong hands, but insider data theft is rife in the UK, a survey has revealed.
In a sample of more than 1,000 UK employees by security firm Imperva, 72% admitted taking data from an employer. This included customer data (26%), HR records (25%), marketing data (25%) and redundancy information (10%).
But how are they getting access to the information and how are they getting it out of their organisations?
Accessing the information appears to be extremely easy, with more than half of respondents admitting they look at information not related to their jobs. At least half of these said information was stored in files with unrestricted access, 27% admitted abusing their legitimate user credentials, and only 7% said they had to use another employee's password.
Customer records topped the list of information viewed on the sly (50%), followed by merger and acquisition plans (17%), strategic planning information (14%), and redundancy lists (5%).
Getting the information out of the organisation is also relatively easy. According to the survey, the most common methods of getting the data out were USB memory sticks (23%), personal laptops (23%), other portable storage (19%), and mobile phones (13%).
The most obvious problem is a lack of effective controls within UK companies, with a quarter of those polled saying their organisations did not restrict their access to sensitive information, and where there were controls in place, 44% of employees said they could get around these measures.
"Companies are their own worst enemies, and this study confirms that," says Amichai Shulman, chief technology officer at Imperva.
Employers need to re-examine what restrictions they have in place as a matter of urgency because they are not doing the job and are being circumnavigated, he says.
According to Shulman, many businesses need to create policies that cover what is sensitive information, what is unacceptable behaviour, and what the penalties are for breaching such policies.
This is especially important because 59% of those polled said they would take information because they believed this information was rightfully theirs, including employees changing jobs.
"That employees steal data is nothing new, but it is surprising to see the number of people who think they are entitled to do so," says Shulman.
This is a less obvious problem, he says, because it does not fit in with the conventional view of threats. "Most data leakage is not due to disgruntled employees or through malicious intent, but because most people believe they own the data."
To overcome this and curb the loss of data to competitors, employers need to understand the problem, and define what constitutes intellectual property and why they retain ownership, says Shulman.
The same applies to customer data, he says. "Creating policies that you adhere to means everyone knows where they stand and what is expected of them."
Another area of policy that companies typically neglect, is policy regarding the removal of corporate information from personal devices when people leave.
"Alarm bells should be ringing with 85% of respondents saying they had sensitive data on their home computer or mobile," says Shulman.
Three quarters of respondents said they had a customer database on personal devices, and 27% had some form of intellectual property.
No tools for leaving process
But the survey found 60% of organisations did not have a policy to cover the removal of corporate information from personal devices when employees leave the company.
The reason for this state of affairs, says Shulman, is a combination of a lack of awareness and a lack of the right tools.
But, he says, tools are becoming available that enable organisations to track and control files that contain sensitive information based on content, and it is up to IT security professionals to secure funding by ensuring those who are able to allocate budget are aware of the threat these activities pose to the business.
"Effective tools will enable organisations to express their data protection policies rules based on the information they want to control," he says.
Shulman believes that once UK law requires companies to report data breaches, there will be a growing awareness of just how much data is lost through employees in the course of normal business.
"Regulation will cause a surge in reports of data breaches, and organisations will no longer be able to ignore the threat," he says.