When it comes to creating enterprise-level security for your company, how much can the employees in your organization be trusted? Should IT expect that these workers follow basic security practices and keep sensitive information secure? Are internal threats a greater concern than outside ones?
These are just a few of the security questions and concerns being raised after a new report shows that many employees take a lax view of IT security, and many of these same workers are susceptible to cash bribes for their passwords.
For many years, most CIOs, chief security officers, and IT security managers have known that the biggest threats to their organization's information systems and data confidentiality come not from the outside, but from the inside. Still, it's hard to believe that more than 50% of workers will, at some time during their employment, willingly compromise some of the security of their organization's IT services, according to the recently released SailPoint 2016 Market Pulse Survey.
The report further confirms that internal data security threats within organizations are not diminishing over time, but actually increasing.
About 1,000 office workers in the US, the UK, Australia, France, Germany, and The Netherlands were surveyed for the report. All were employees of organizations with more than a 1,000 workers, and 45% worked for companies with more than 10,000 employees.
The survey was commissioned by SailPoint Technologies and conducted by independent research firm Vanson Bourne.
"This year's Market Pulse Survey shines a light on the significant disconnect between how employees view their personal information and that of their employer, which could also include personal information of customers," Kevin Cunningham, president and founder of SailPoint, wrote in March 20 statement. He continued:
Today's identity governance solutions can alleviate the challenge of remembering several passwords and automate IT controls and security policies, but it's imperative that employees understand the implications of how they adhere to those policies. It only takes one entry point out of hundreds of millions in a single enterprise for a hacker to gain access and cause a lot of damage.
Some of the findings are shocking. The report reveals that many vulnerabilities are dangerous for any organization. However, for those businesses that handle confidential data or large databases, the results are depressing. For example:
- Over 65% of the respondents admitted to using the same passwords across different applications, and 33% share their credentials with coworkers.
- One in five employees says he or she would sell passwords to an outsider, including competitors, and 44% of those would sell their passwords for less than $1,000.
- 26% of employees admitted to copying some internal data on cloud services, such as Dropbox or Google Drive, with the specific intent to share that data outside the company.
The results of the study shed some light on employee loyalty based on location. Twice as many US workers (27%) are willing to sell their passwords to outsiders than employees working for an organization in The Netherlands (12%).
Another key finding is how easy it is for former employees to access their previous corporate accounts after termination.
The study shows that over 40% of people are able to access their previous employer's information by using the same credentials they had when they were working at their old job.
Based on the results of the survey, SailPoint Technologies estimates that in a 50,000-employee organization, 32,000 of workers are using the same password over several applications, 17,000 share passwords with coworkers, and 10,000 workers would be willing to sell their passwords to an outsider.
Of that 10,000 willing to sell passwords, 4,400 of them are willing to sell for less than $1,000.
However, if former employees are still able to access systems, then some of the blame needs to go back to the IT department and security admins who should be developing ways to make sure internal systems can't be accessed.
What is clear from these findings is that organizations need to increase internal security, and only allow access to the information needed on a case-by-case basis. The recent release of the Panama Papers, which could have been an internal affair although the law firm denies this, shows that some employees having almost unlimited access can have disastrous consequences.
With all this in mind, there are three steps security and IT pros can do to limit the exposure:
- Enable logging of database access, so it can be determined by who, when, and where any particular piece of information was retrieved.
- Require two-step authentication for any sensitive data, including biometric access, including such items as fingerprints, in addition to passwords.
- Encrypt all sensitive data with a security mechanism that makes impossible to read the files outside of the organization.