8 Ways Ethically Compromised Employees Compromise Security
From audit cheats to bringing data to a new job, unscrupulous employees put organizations at risk.
July 10, 2016
The prevailing security wisdom to "trust but verify" comes from a deep well of painful experience.
The fact is that there are always a few bad apples in the barrel, and when it comes to employees--whether IT or your typical corporate user--the bad actors can introduce a lot of risk to the organization. But some IT executives may not realize just how many potential bad apples there can be, depending on the circumstances.
Here are a few statistics that show how prevalent shaky ethics really are in the workplace.
In a recent survey conducted by Firemon, a full 28% of IT staffers admitted to cheating on an audit just to pass. That ratio has actually gotten worse over the years--in the past five years it's gone up by 6 percentage points.
This may not be quite on the same level as stealing information, but this lack of ethics can breed a false sense of security that results in security incidents later on down the line.
Approximately one in five employees share login information with other members of their team, according to a survey conducted by SailPoint. While typically against policy, the practice in and of itself may not necessarily be unethical per se. However, rampant password-sharing is like the gateway drug of unethical behavior on the part of employees.
Take the latest case to hit the news, one in which a former employee of recruiting firm Korn/Ferry started up a competing business with ample use of his former employer's recruiting database. He'd been shut out of the database when his former credentials were revoked, but was able to access it using a password shared by a former colleague. Just this week, his conviction under the Computer Fraud and Abuse Act was upheld in appeals court.
While password sharing tends to sit in an ethical grey area, selling passwords is another matter entirely. And yet, a surprising number of employees are willing to do it.
In the same survey conducted by SailPoint, about one in seven employees admitted they'd sell their password to a third-party, some for as little as $150.
A survey conducted among 2,000 corporate workers by LogRhythm showed that nearly a quarter of them admitted to having accessed or taken confidential information from their workplace. What's more, around one in 10 said they do so regularly, and 94% of those who did the deed said they'd never been caught.
A lot of the data stolen by unethical employees is like that information used by the Korn/Ferry employee who benefited from his former coworker's password sharing. In one survey conducted by the Ponemon Institute on behalf of Symantec, around half of employees who had changed jobs brought intellectual property with them from their former employer, and 40% said they'd use it in their new jobs.
There are a lot of rationalizations when it comes to taking corporate data from current or former employers. The Ponemon study examined a number of them, including the belief it doesn't harm the company, the thief isn't personally receiving any direct economic game -- and just the simple fact that the company doesn't strictly enforce its policies.
Perhaps the biggest rationalization, though, is when the person who takes the data had a hand in creating it.
About half of employees think that they have a right to intellectual property if they took part in developing it, according to Ponemon. For example, 44% of developers believe that they should have the right to re-use source code at another company.
Most disconcerting of all statistics are the ones around employee willingness to sell company data outright. One survey by Clearswift found that over a third of employees would sell their company's data for the right price.
For around one in five, that price would be as little as a meal for two at a top restaurant.
Most disconcerting of all statistics are the ones around employee willingness to sell company data outright. One survey by Clearswift found that over a third of employees would sell their company's data for the right price.
For around one in five, that price would be as little as a meal for two at a top restaurant.
The prevailing security wisdom to "trust but verify" comes from a deep well of painful experience.
The fact is that there are always a few bad apples in the barrel, and when it comes to employees--whether IT or your typical corporate user--the bad actors can introduce a lot of risk to the organization. But some IT executives may not realize just how many potential bad apples there can be, depending on the circumstances.
Here are a few statistics that show how prevalent shaky ethics really are in the workplace.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024