Data leaks: Watch out for careless and disgruntled employees

Outside hackers certainly can keep IT departments scrambling to keep a company's network and data secure. But what about "The Insider Threat," employees who are either careless or disgruntled with a company's data and pose even bigger threats?

Cisco, completing a three-part study on the topic, released findings in a white paper this week and made some interesting observations. In summary, the company found:

In the hands of uninformed, careless, or disgruntled employees, every device that accesses the network or stores data is a potential risk to intellectual property or sensitive customer data. Magnifying this problem is a disconnect between the beliefs of IT professionals and the realities of the current security environment for countless businesses. The new findings show that “insider threats” have the potential to cause greater financial losses than attacks that originate outside the company.

The study concluded that:

• 33 percent of IT professionals were most concerned about data being lost or stolen through USB devices.
• 39 percent of IT professionals worldwide were more concerned about the threat from their own employees than the threat from outside hackers.
• 27 percent of IT professionals admitted that they did not know the trends of data loss incidents over the past few years.

One of the most common mistakes that companies make is to think that the biggest threat is the disgruntled employee, the person who behaves in a malicious manner to get even. But, watch out for the careless employee - the one speaks loudly about confidential company information into a cell phone while waiting at the airport gate. (We've all heard that guy, right?) In many cases, IT departments expect some degree of professionalism, security awareness and common sense precautions from employees. But that's not always the case.

Likewise, there's also the matter of employees who are simply careless or unaware that their actions (or lack of action) could compromise company information - things like failing to log-off or leaving passwords in sight. And then, of course, there are those employees who simply lose their devices, whether a mobile phone, laptop or portable hard drive. Interestingly, of those employees who have reported loss or theft of a corporate device, 26 percent were repeat offenders who experienced more than one incident in the past year.

So, what's a company to do? For starters, education, training and awareness are key. Policies need to be put in place but, more importantly, companies need to work create a culture where data protection is on the minds of all employee.

The first two papers in Cisco's series focused on how data security is comprised through the unintentional and unwise behavior of employees and IT professionals. The initial paper, Data Leakage Worldwide: Common Risks and Mistakes Employees Make, looked at data loss from an employee perspective. The second, Data Leakage Worldwide: The Effectiveness of Security Policies, looked at data loss from an IT perspective. The study, commissioned by Cisco and conducted by U.S.-based market research firm InsightExpress,  polled more than 2000 employees and information technology professionals in 10 countries. A country-by-country look at some of the findings is in the chart below (click to enlarge):