One of the biggest exposures in IT systems is the simple fact that too many people have access to information that they don’t need access to. The military has long kept everyone on a “need to know basis,” but companies in the digital age have been less effective in maintaining levels of data clearance.
Usually, this isn’t a problem. Most employees are honest people who wouldn’t do anything malicious with any corporate data. But as this information becomes increasingly valuable to outsiders, that temptation can be too much to overcome for some workers.
And according to a new survey from SailPoint, the number is troubling — especially in the U.K.
Of nearly 3,500 employees surveyed, a full 10% of U.S. employees (compared to 8% of Australians and 27% of Brits) said they would forward electronic files to a nonemployee. Furthermore, 9% of Americans (compared to 8% of Australians and 24% of Brits) would copy electronic data and files to take with them when they leave a company.
I’m not sure whether U.K. employees are more devious or just more honest, but even the lower totals in the United States and Australia shows the enormity of the risk. That’s just a ton of people who have no qualms about leaking — if not outright thieving — data.
“Organizations should be very concerned about the number of employees that openly admitted to misusing proprietary data,” said SailPoint cofounder Jackie Gilbert. “These results show that insider threats represent a significant risk to the business. Some of the biggest and most costly data breaches have been directly tied to company employees. Having a written policy is not enough to ensure data security. Organizations need to have automated controls in place to monitor and manage user access controls in order to minimize the risk of insider theft or sabotage.”
What all this means is that while IT directors do need to figure out how to keep the outside hackers from getting into the network — they also must determine how to keep those already within from exposing information to the outside.
As Gilbert says, access controls are a good start.