Would you sell sensitive company data if you're offered the right incentive? Using the current economic situation, or pure greed as an excuse, 37% of employees surveyed at this year's Infosecurity Europe event said that they are keeping their options open.
What type of information are they willing to sell, and what kind of incentives are the potential insiders interested in?
The surveyed employees had access to the following company assets:
- 83% had access to customer databases
- 72% has access to business plans
- 53% had access to accounting systems
- 51% had access to HR databases
- 31% had access to IT admin passwords
The incentives that they required in order to hand over sensitive data:
- 63% required at least 1 million pounds to convert to insiders
- 10% would become insiders if their mortgage was paid off
- 5% are willing to participate in exchange for a holiday
- Another 5% would do it if they are offered a new job
- 4% would participate if their credit card debt is covered
In respect to bribery, is it always about the right incentive, offered at the right moment in time if you're to take the quality of the survey results for granted? It's all a matter of perspective, but controversial to the emphasis of the survey, namely, that criminals are getting more interested in bribing your company's employees into committing insider acts, recent cases speak for the true self-serving mentality of insiders :
- January, 2008 - New Jersey system administrator gets 30 months in prison for a logic bomb that he planted fearing potential layoffs
- July, 2008 - fearing potential layoffs, network administrator working for San Francisco's Department of Technology held the city hostage
- April, 2009 - apparently impatient to be recruited from potential criminals, a system administrator attempts to extort his employer after getting fired
- April, 2009 - another impatient to be recruited IT worker at the Federal Reserve Bank of New York has been caught stealing personal customer data and obtaining loans in the process
The big also picture speaks for itself. According to Verizon's 2009 Data Breach Investigations Report, 74% of the data breaches resulted from external sources (+1% increase from 2008), with only 20% caused by insiders (+2% increase from 2008), followed by insecure practices on behalf of business partners.
Disgruntled employees are always going to be there, especially in today's cloudy economic climate. But a simple cost-effectiveness analysis performed by a criminal attempting to recruit your employees, would reveal that what he's trying to obtain may be much more easily, even cheaper to obtain through external means.