A new survey has shown that most British office workers will ignore security policies and take risks with corporate information if they think it will make their lives easier or help them get their jobs done.
Security vendor Symantec Corp. commissioned the study last October, quizzing 1,000 UK office workers about their attitudes toward security and risk taking. The resulting insider threat statistics are worrisome. More than half of those questioned (54%) said they had removed information from the workplace without permission, though a large portion (42%) of those taking data said they wanted to work on it from home, and 28% said they needed it for off-site meetings.
People are not robots and they will sometimes try to take control of their lives if the security culture is too hard.
However, a portion of those questioned were motivated by bad intentions. More than a quarter (27%) said they had removed information to take to another job, and 6% admitted taking information to show to a third party.
The most popular method of removing data was to copy it to a staging site on the Internet, such as iDisk or DropBox, with 43% choosing this channel; 36% used webmail to send out files as attachments, and 32% copied information onto a USB device.
However, companies should not rush to punish employees who break the rules, said David Wall, professor of criminology at Durham University, who recently produced a white paper on insider threats on behalf of Symantec.
"It's all too easy to treat those who break security policy as deviants, but they are often just trying to do their job against rules that make it hard for them," said Professor Wall, "People are not robots and they will sometimes try to take control of their lives if the security culture is too hard."
He advised user education before punishment, and warned that focusing too much on security can have knock-on negative effects. "Companies can become overly bureaucratic, and, while rules may be made for a logical reasons, in the real world people need to have discretion to make their own decisions."
Wall added that, whilst appropriate access can be enforced via technology, "the policies behind the design of those systems need to be sensitive enough to allow for appropriate individual staff innovation and also not restrict productive working relationships between staff within the organization."
Jamie Cowper, principal product marketing manager for Symantec in Europe, said it was important for organisations to recognise the problem of insider threats, and that technology could play a role in reducing them.
"The research shows users moving information around in an insecure way," Cowper said. "But if you have data leakage prevention (DLP) technology in place, it allows you to alert users when they are going to do something wrong, or enforce encryption, or block [the action]."
He said the best approach is to help the user do his or her job in a secure fashion, but he also conceded that some organisations still find DLP hard to implement. "DLP is still not a default technology like antivirus. It is still in the emerging category," Cowper said.
Since few companies do a full data classification, he said, the best approach is to identify the company's "crown jewels" -- its most important information -- and work on protecting them first. "Rather than trying to do it all at once, take a more controlled approach," Cowper said. "Get buy-in from the relevant business units, focusing on the vital information. Then you can build out from there."