A company’s own employees present one of the biggest threats to the security of its data – and many of those users are clueless when it comes to security policies and law.
Users frequently put data at risk or steal information outright — and without knowing they aren’t supposed to do so, according to a recent study from security vendor Symantec.
For example, 62% of users said it’s acceptable to transfer work-related documents to personal computers, tablets, smartphones or online file sharing applications. That’s despite the fact that most businesses have policies against doing so, and that many data breaches have occurred because unencrypted data was carried off an organization’s premises using a personal device.
In addition, among the 3,300 users surveyed:
- 50% of those whohad left a job in the past year say they took sensitive information with them, with most believing that it doesn’t violate any security rules enforced by their employer
- 56% believe it’s OK to use an employer’s trade secrets when working for a competitor, and
- 44% believe that intellectual property belongs to the person who created it, and that it’s not a crime to bring that property to other companies.
What it means for IT: Educating users about what the organization’s security policies are and why they’re in place could go a long toward preventing many data breaches.
But that must go beyond holding a few training sessions. Awareness needs to begin with management and strong enforcement of policies — just 38% of survey respondents said their supervisor takes IT security seriously, and more than half (51%) believe taking data is OK because the company doesn’t strictly enforce its policies.
In addition to raising awareness, many companies could use better communication between IT and HR to help make sure access to confidential information is cut off as soon as someone leaves the company.
Many IT security incidents occur not just when a malicious insider is employed by the organization, but also just after the employee leaves. Sometimes it’s because the person takes confidential information to bring to a new job. Or an incident may occur if an employee is fired and uses remaining access privileges to delete data or cause other problems.