Employees' curiosity can kill your company

An international survey carried out by Cyber-Ark has confirmed that a third of the employees of any given company could be accessing sensitive company data without authorisation.

The survey has also found that 74 per cent of employees admitted they could circumvent the controls currently in place to prevent access to internal information.

Cyber-Ark Software is an information security company that develops and markets digital vaults for securing and managing privileged identities and highly sensitive information within and across global enterprise networks. Its Trust, Security and Passwords is a global survey of more than 400 senior IT professionals both in the US and UK, mainly from enterprise class companies.

The third annual survey of its kind has not only confirmed previous trends but also warned that despite a sharp rise in data breaches and increased media awareness on the subject, there are still significant internal security gaps within companies.

Among the most revealing aspects of the survey were the types and quantity of information employees would take with them if they were fired. As the economic climate has worsened, the survey found a sharp increase in the number of respondents who say they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security.

When asked this year "What would you take with you?" the survey found a six-fold increase in staff who said they would take financial reports or merger and acquisition plans, and a four-fold increase in those who would take CEO passwords and research and development plans.

Ominously, one in five companies admit having experienced cases of insider sabotage or IT security fraud. Of those companies, 36 per cent suspect that their competitors have received their company's highly sensitive information or intellectual property.

Organisations are increasingly aware of the need to monitor privileged account access and activity, with 71 per cent of respondents indicating that privileged accounts are partially monitored, while 91 per cent of those who are monitored admitting they are "okay with their employer's monitoring activities". Despite these efforts, 74 per cent of respondents revealed that even with the controls being put in place to monitor them, they could still get around them, making current controls ineffectual.

Highlighting the ineffectiveness of current controls and access policies, 35 per cent of IT administrators admitted they were using their administration rights to snoop around the network to access confidential or sensitive information. The most common areas respondents indicated they access are human resources records, followed by customer databases, redundancy lists and lastly, marketing information.

Andrew Borg, director at Computime Ltd, the local representatives of Cyber-Ark, is not surprised at all by the findings of the survey.

"We are all aware of corporate espionage, and of obtaining information for financial gain, however the survey also highlights how much 'snooping' can also be triggered by individual curiosity.

Accessing human resource data to find out how much colleagues earn is one such example - a breach which may not be malicious or financially motivated, but which can be used, for example, to obtain leverage in negotiating a new remuneration package.

"Notwithstanding the possible non-malicious intentions, once information is illicitly obtained, it is immediately compromised with the possibility of a leak at any stage: to colleagues, with a competitor over a drink or when an individual changes job. Therefore, organisations have to be vigilant on the controls they introduce to safeguard the company's confidential information".

For Mr Borg, the most significant point covered in this survey is the exponential increase in employees who, if they were fired, would take proprietary data and information that is critical to maintaining competitive advantage and corporate security.

"This is a phenomenon brought about by the existing economic climate and current job insecurity. On this point alone, employers should re-assess what risks their organisations face and introduce the necessary controls to safeguard their informational assets.

"The implications here are various and have a domino effect. If the organisation anticipates tough times ahead, the risk of layoffs gives a general feeling of insecurity to the employees, resulting in more unauthorised access of sensitive information which will inevitably fall into the hands of the competitors should the respective employees be employed by competitors. These risks should be seriously assessed by all organisations who store confidential information electronically, even more so in this period of economic uncertainty."

Seeing how critical IT security is for both our customers and other corporations, Computime have a dedicated team to deal exclusively with network and internet security.

Over the years its team of security engineers have been trained and certified to implement various market leading security products. Computime's client base includes some of Malta's major banks and financial services, as well as other blue-chip companies overseas.

"The biggest threats will always be from the inside, as it is insiders who already have levels of access. They can be normal users, service users, power users, administrators... This means that they are already in a position of trust and have elevated privileges, something which the outsider will not usually have. Ultimately it will always be a case of who will police the policeman," Mr Borg pointed out.