Sell my company's data? Make me an offer

Sell my company's data? Make me an offer

Summary: A new survey says that if the price is right, nearly half of employees would happily sell on their company's information and confidential data.

SHARE:
it-security

A new survey suggests that the majority of businesses believe employees would sell on confidential corporate data -- as long as the honey pot is sweet enough.

Research conducted by Loudhouse, the 2013 Market Pulse Survey, collected the opinions of 400 IT executives across the United States and United Kingdom in companies with over 5,000 employees. The study found that not only are businesses struggling to secure their data in the world of bring-your-own-device (BYOD) and cloud computing, but also that 45 percent think staff would happily lift documents and sell it on for the right price.

According to the study (.pdf), insider threats are just as much of a worry as cyberattacks from external sources. Nearly half of IT executives -- 46 percent -- said they did not believe their company have effective internal controls over user access privileges, and the same proportion lack confidence in their ability to grant and revoke access when an employee joins or leaves an organisation.

Over half of respondents admitted their employees have read or seen company documents they should not have had access to. In addition, over half of firms have experienced a former employee trying to access corporate systems after leaving the company. 

Internal access management has also been negatively impacted by new trends including cloud computing and BYOD schemes. Security issues that already exist are exacerbated, and compliance problems have created new challenges for IT departments. While these new technologies can improve a businesses' flexibility and freedom, it also means that complex systems and a large number of new access points to networks generated by BYOD devices can create a never-ending headache for security teams.

Over half of companies -- 53 percent -- have suffered a security failure, and 51 percent admit that it is "just a matter of time" before another data breach occurs. Within the survey, respondents said that critical issues contributing to security problems were an inability to get the whole picture across all systems (45 percent), over-reliance on IT support (43 percent) and an inability to manage new technologies (40 percent).

In addition, while 82 percent of companies allow employees to use their own devices, only 41 percent automatically remove mission-critical data from a device when an employee leaves -- and six percent admitted data is left on the gadgets.

The core problem is not just a lack of trust in staff, but a lack of confidence in IT systems. The research says that it is an "overall failure to fully manage identity and access" in corporate networks. In a statement, commissioner of the study Jackie Gilbert, founder of SailPoint said:

"Many organizations are struggling to manage 'who has access to what?' across the enterprise. And as our survey indicates, the growing adoption of cloud and mobile technologies is making the problem significantly worse. It's pretty clear that if you're not proactively managing cloud and mobile access today, you're at increased risk of fraud, data theft, and security breaches."

Topics: Security, Data Management, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Misleading summary

    I assumed from the summary a poll indicated that users admitted to be willing to sell out their companies, not that IT thinks poorly of the moral character of their users.

    IT executives should have a healthy (sic) degree of paranoia but that doesn't mean it's necessarily an accurate number.
    MajorlyCool
  • Since companies constantly treat their employee's un-ethically, they expect

    the employee's will have the same lack of morals and ethics.

    If someone doesn't trust you, they can't be trusted in the least.
    Reality Bites
    • Companies constantly treat their employee's un-ethically?

      Really? In what way. I ask because it's not the case where I've worked. What have they done that are un-ethical?

      Maybe you should work for better companies?
      William.Farrel
      • They do exist

        I know having unfortunately having worked for one. The company that I worked for (I will not mention names or anything too specific due to them being in a position to not give me a reference) was a hardware supplier of medical equipment. I cannot remember all the dodges but they included:

        Due to getting the price of their equipment wrong at a trade fair they gave illegal versions of their own software with a crack (they had to buy this software from the Euro hq.)

        Due to only having a 3 month per year run at the companies factory spares would often run out so one customer unit in for repair would be cannibalised to fix another, one customer was charged for new components and the other never gave permission.

        They would charge £4k for a pc which, despite not needing to be, would be medical board tested. However, when they ran out of stock they would buy a similar looking - non tested - pc and sell it on as tested.

        There was plenty more which I cannot remember. I did tell a trade body once I had moved on but never heard back so have no idea whether anything came of it.

        I can say though it is an exception, most companies might be tight but I have never seen anything go so far as being unethical.
        n.gurr@...
  • it's a major source of access

    employees have been selling data and/or access for ages. Usually it's a pittance compared to the profits the scammers and identity thieves gain. While some access is a result of brilliant hacking, many times it is so very simple just to fish for an employee with low morals and a low bank account balance.
    wizardjr
  • I think that this problem will get significantly worse

    I agree that "Many organizations are struggling to manage 'who has access to what?' across the enterprise" and "the growing adoption of cloud and mobile technologies is aking the problem significantly worse". I think that this problem will get significantly worse during next year.

    Many organizations are exposing large amount of sensitive data to applications and users. Instead all sensitive data should be protected by using modern data security methods before it is sent to the cloud or downloaded to mobile devices.

    Good news can be found in the study from the Aberdeen Group that revealed that “Over the last 12 months, data tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”. Aberdeen has also seen “a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data”. The name of the study is “Tokenization Gets Traction”.

    Below are a few words of guidance from the payment card industry, PCI SSC (PCI security council). The guidance is applicable for all sensitive data that is sent to the cloud.

    If you outsource to a public-cloud provider, they often have multiple data storage systems located in multiple data centers, which may often be in multiple countries or regions.

    Consequently, the client may not know the location of their data, or the data may exist in one or more of several locations at any particular time.

    Additionally, a client may have little or no visibility into the controls protecting their stored data. This can make validation of data security and access controls for a specific data set particularly challenging.

    In a public-cloud environment, one client’s data is typically stored with data belonging to multiple other clients. This makes a public cloud an attractive target for attackers, as the potential gain may be greater than that to be attained from attacking a number of organizations individually.

    I think it is time to listen to the guidance from Aberdeen and PCI SSC when it comes to securing sensitive data.

    Ulf Mattsson, CTO Protegrity
    ulf.mattsson@...
  • It goes both ways

    A survey I read not too long ago indicated that most office workers would trade their login password for an ice cream cone, or something equally trivial. Most offices have no sense of loyalty to their employees and will ditch anyone they feel like at any point, for any reason. When there's a sense of investment in the employees, employees take things more seriously. When employees feel like their job doesn't care about them, they don't care about their job.

    Technology has nothing at all to do with this.

    Joey
    voyager529
  • If you don't trust your employees, there's always the law

    I'm sure it's written into every employee's contract that he/she is forbidden to remove or copy data for use outside the company, or some similar wording. So if the employee breaks the contract, they can be sued UNLESS the employer has broken his/her end of the contract. So ethics apply to both parties and if the management is unethical, it can hardly blame its employees for behaving likewise.
    From an employee's viewpoint, behaving unethically has 2 negative aspects:
    1) it may lead to a criminal record
    2) it will almost certainly seriously impair chances of future employment
    So any employee thinking of selling data or merely giving it away should ask themselves, "Is it worth putting my future livelihood at risk for short-term gain?" To any intelligent person, the answer is obvious. Unfortunately there are too many people who act before they consider the consequences, so if I were an employer, I would make it absolutely clear that the full force of the law would be brought down on any employee who put the company at risk to the slightest degree and that activity monitoring software was active on all company PCs.
    JohnOfStony