Recently published survey data, see Press Release carried out by Cyber-Ark highlights ethical behaviour of employees and data theft.
A handful of findings:
- More than 40% admit to having taken data with them to their next job
- A third would download company information to help a friend
- 57% states taking data is easy
- More then 40% prefer a USB memory stick
- 85% believes downloading company information is illegal
- 13% would take access and password codes
The respondents’ behaviour was being torn between doing the right thing and the somewhat dodgy. The majority state that downloading information is illegal. But many indeed appear to have acted illegally. The information container of choice is the USB stick followed by email. What is probably also the case is that many appear to get away with pilfering information. Is it just a case of dealing with a grey ethical area? The respondents shy away from copying passwords suggesting that this is too risky. Conversely people are likely to judge less sensitive information as being fair game. This observer believes it is down to the ease with which the information can easily be copied off the premises.
Many IT professionals find it very difficult to eliminate the opportunity for data theft. Senior management does not help by not taking this seriously enough. Consequently the IT dept. runs the risk of being held responsible personally. Just recall the many press stories about organisations having to come clean about losing data containers whether they be USB sticks or lap top PCs (A couple of recent UK examples DEFRA UK ICO ).
The issue is serious because in many organisations it is not clearly articulated. Employees and security officials are not clear about the rules. So state what is right and what is wrong, in spirit and in letter. Then state unequivocally when the rules will be tightened. Then introduce new procedures of handling information. It will soon become obvious to explore Information Security applications. If for nothing else in order to eliminate adverse publicity.
The problem will get worse before it gets better. We take firewalls and virus protection for granted and Information Security will become more widely adopted.
