James Thew - Fotolia

Study shows UK workers fail to understand data value, putting firms at risk

Some 43% of UK employees say they do not understand the value of business data – and could be putting their organisations at risk

Only 7% of UK employees rate their business data higher than their personal information, a survey has revealed.

More than half of the 1,000 UK employees polled by independent research firm OnePoll said they value their own data more than their work data – while 43% said they "somewhat" or "completely" agree that they have no idea of the value of business data.

The study – commissioned by Fujitsu – found UK employees are cautious and many choose not to mix personal data and work data.

Nearly a third of respondents said they worry more about losing their personal data than their business data, with 89% admitting that they trust the security of personal emails over work ones.

Fujitsu said that, while 58% of respondents understand the risks around identity theft, the study suggests more needs to be done – from both businesses and employees.

Only 13% of respondents said they know what security their business has in place and almost a quarter feel as though their organisation and they themselves could be doing more.

“With 30% of employees agreeing that they worry more about losing personal data than business data, organisations have a challenge on their hands,” said Andy Herrington, head of Cyber Professional Services at Fujitsu.

“While there is no quick fix in changing these perceptions, the process needs to start with the people. Educating employees about the value of and how to protect personal data is a great starting point and businesses will see this data-safeguarding attitude trickle through the business, helping employees become part of the threat defence.”

Security awareness training

A June 2014 a poll of top UK and UK-based firms, from security consultancy Company85, revealed that just over a fifth of the companies polled provided no security awareness training for employees.

Identity theft is no longer just about stealing identities, said Robert Arandjelovic, European director of security strategy at Blue Coat Systems.

“While classical identity theft will continue to exist, we are now seeing it being increasingly used as research gathering in social engineering as part of a larger, sophisticated cyber-attack. This allows attackers to assume the identity of key individuals to access corporate networks and take sensitive information,” he said.

According to Arandjelovic, the wealth of personal information on social media accelerates the speed of information gathering and makes social engineering easier.

“Our research shows UK employees should treat social media as cautiously as they treat unsolicited phone calls or emails. To combat this change, businesses should seek to strike a balance between technology and educating employees on the risks of social media,” he said.

Social engineering attacks are more complex than ever before as security technologies improve, Jenny Radcliffe, director and head of training and consultancy at Jenny Radcliffe Training told Computer Weekly in May 2015.

Read more about social engineering

“Attackers are no longer concerned with the technical controls, but instead get insiders to help by engaging with them and building trust relationships,” she said.

Although still relatively simple in conception, Radcliffe said these attacks are beginning to be more informed and backed by a level of complexity and planning that has not been seen before.

This planning typically involves building a profile of the target organisation and its employees using sources such as corporate websites, industry forums and social media sites, including Facebook, Twitter and LinkedIn.

“Attackers will then seek to build a trust relationship with an individual or individuals in the organisation over a long time, using the principles of influence and other academic ways of building trust,” said Radcliffe.

This makes it possible for attackers to identify the easiest way in and to manipulate employees of an organisation to help them gain access to the information they seek.


Read more on Hackers and cybercrime prevention