igor - Fotolia
A third of employees will sell company data if the price is right, study reveals
For £5,000, a quarter of employees polled said they would sell confidential company data, and risk both their job and criminal convictions
More than a third of employees would sell information on company patents, financial records and customer credit card details if the price was right, a study has revealed.
According to a poll of 4,000 employees in the UK, Germany, US and Australia showed that for £5,000, 25% said they would sell confidential company data, and risk both their job and criminal convictions.
The study, commissioned by security firm Clearswift, also revealed that 3% of employees would sell company information for as little as £100, while 18% would accept an offer of £1,000, and 35% were open to bribes of £50,000.
Clearswift said such information can prove very valuable to competitors and criminals, and employee bribery can be an easy way in, as security systems become more sophisticated.
Improved security systems are driving increasingly complex social engineering techniques as attackers seek alternative, easier routes into corporate networks and data.
“While people are generally taking security more seriously – 65% of employees said they wouldn’t sell data for any price – there is still a significant group of people who are willing to profit from selling something that doesn’t belong to them. This information can be worth millions of pounds,” said Clearswift chief executive Heath Davies.
“A case in point of the true value of data is the recent Ashley Madison hack, where user data has been accessed by a member of their extended enterprise – part of their technical services – according to the site’s chief executive, and the effects have been monumental,” he said.
The site announced earlier in 2015 that it hoped to raise £130m in an initial public offering in London this year, but Davies said it may have lost out on this opportunity due to the security breach, reducing the value of its entire business.
“The attack may have burned a hole in its prospects and has already had a ripple effect on its sister sites Cougar Life and Established Men. As such, it is important for companies to understand the risk and address it appropriately – this research can help them do that,” he said.
Read more about social engineering
- Move beyond prevention to fast detection to combat a stealthy social engineering attack
- As more data moves online, social engineering techniques are becoming increasingly advanced
- Can one Web browser better protect an enterprise from socially engineered malware than another?
The opportunity to sell valuable information is exacerbated by the ready access most employees have to it, with 61% of respondents saying they had access to private customer data, 51% to financial data such as company accounts or shareholder information, and 49% to sensitive product information such as planned launches and patents.
Attitudes to data security were mixed, with only 29% saying that company data was their personal responsibility, and 22% saying they did not feel it was their responsibility at all.
A corresponding Clearswift survey of 504 information security professionals revealed 62% think employees do not care enough about the implications of a security breach to change their behaviour.
“It is not good business to live in fear of your employees, especially as most can be trusted. Getting the balance right has always been hard. But truly understanding where the problems come from, combined with advances in technology which can adapt to respond differently to different threats, really changes the game here,” said Davies.
“Organisations need to find ways to control where sensitive data is stored and put safeguards in place which prevent it from leaving the company network. Many companies do this, but a lot of large companies with very valuable data do not,” he said.
Another survey, commissioned by Fujitsu, revealed that only 7% of UK employees rate their business data higher than their personal information, and more than half of those polled said they value their own data more than their work data, while 43% said they "somewhat" or "completely" agree that they have no idea of the value of business data.
Fujitsu said that, while 58% of respondents understand the risks around identity theft, the study suggests more needs to be done – from both businesses and employees.
Only 13% of respondents said they know what security their business has in place and almost a quarter feel as though their organisation and they themselves could be doing more.
“With 30% of employees agreeing that they worry more about losing personal data than business data, organisations have a challenge on their hands,” said Andy Herrington, head of cyber professional services at Fujitsu.
“While there is no quick fix in changing these perceptions, the process needs to start with the people. Educating employees about the value of and how to protect personal data is a great starting point and businesses will see this data-safeguarding attitude trickle through the business, helping employees become part of the threat defence,” he said.