Risk Security

Employees willing to leak and sell corporate access

Almost a third of European employees have sent unauthorized information to a third party.

According to research of 4000 people in Europe, 29% of respondents have “purposefully” sent information out of their company, while 15% have taken “business critical information with them from one job to another”. Over half (59%) planned to use it in their next job.

Neil Thacker, deputy CISO at Forcepoint, said that the choice to steal information is about responsibility and accountability from a cultural perspective. “Once [an employee] leaves, their loyalty has gone and when loyalty is gone, we do see an essence of data leakage and storing.”

The research also found that 14% of respondents would sell corporate log-ins to an outsider, and 40% of those would do so for less than £200. Perhaps this is because 22% either do not believe data breaches incur a cost to their employers, or were unsure whether they would.

Mike Smart, product and solutions director at Forcepoint, said: “Research has consistently shown that breaches caused by employees are among the most damaging in terms of their financial and reputational impact. Organizations that ignore the potential security risks that can be caused by employees and other insiders miss an opportunity to strengthen their security posture and protect their companies more broadly.”

RELATED VIDEO: Edward Snowden on Passwords: Last Week Tonight with John Oliver

In an email to Infosecurity, Oliver Pinson-Roxburgh, EMEA director at Alert Logic, said: “In my experience, we never started a social engineering exercise with bribes as they would always alert security to our actions and would be sure to get us rumbled. We always made it through in other means before getting people to pay.

“That’s not to say the insider threat isn’t real; just that the attackers have loads of other more covert ways before going this route. It also really depends on the organization though – in more challenging environments, getting to someone inside the organization would always be an option and that would start with profiling the correct person to get you best access. This is also maybe where the respondents are going with this, which is ‘what could they possibly do with my access?’ I for sure would not want any of my employees considering that game of Russian roulette.”

Source: Infosecurity

Read entire post grey

Leave a comment

%d bloggers like this: