Employees exposed as Europe’s biggest data thieves

15 Jul 2008

Despite all the money spent on protecting a business’s computer systems from external threats, new research reveals that European businesses are increasingly at risk from the inside as employees steal, leak and expose valuable and sensitive information.

As a result, investments in solutions to protect corporate data from external threats and hacking are being undermined by the failure to fully communicate company security policies and by lax employee behaviour.

The study of 600 office workers across Europe, conducted by ICM Research and commissioned by McAfee, highlights the organisational dangers of data loss.

Employees are transferring an increasing amount of confidential data out of the business, using methods which often fall outside of the control of the IT department. 

The study suggests more than a third of European businesses (37pc) have no set policy for handling sensitive documents and, in cases where policies do already exist, almost a quarter (24pc) of employees don’t know what they are.

The research found that 132 million sensitive documents are being taken out of UK offices each week on portable devices.

Day-to-day internal documents and customer data/records are the two most common types of document to be taken out of a business electronically or physically. This is followed by company financial information.

Employees are increasingly using portable devices, including memory sticks and mobile phones to remove confidential data from their businesses

Web-based mail services and even instant messaging are being used to transfer sensitive information outside of the business.

§Some 52pc of European and 21pc of UK employees would take company data with them when they leave.

Last year, Boeing, Ernst & Young and Nationwide all suffered reputational challenges when the social security numbers, names and addresses of thousands of employees and customers were left open to identity fraud after unencrypted laptops were stolen from the homes and cars of their workforce.

The Israeli Interior Ministry also felt the force of a digital disaster when vital population registry information was leaked and posted on the internet. Compounding the almost inevitable loss in customer trust, research shows the financial implications of data breaches are on the increase.

Yet, it appears we are not taking the necessary steps to guard against security threats from insiders as the average European office worker takes 11 confidential documents out of their business weekly. Dutch employees are the worst offenders with 19 sensitive documents leaving company perimeters each week, followed by the Spanish who remove 13. The Brits are seemingly the most conscious of confidentiality, sharing an average of six documents per week.

Company business plans, financial information, employee records, customer data and legal contracts are all being placed at risk by the actions of European workers. Business owners should heed the fact that nearly a third (31pc) of those questioned send company financial information to others outside of the organisation as part of their daily routine, whilst 20pc also forward legal contracts.

Employee privacy is easily breached as a fifth (19pc) share their information with external contacts and, while 92pc admit that the safe handling of confidential documents is crucial to maintaining relationships with customers, some 39pc readily forward customer data and records to others outside the company. 

Company email remains the most common means of sending information externally, with 86pc admitting to forwarding documents regularly by email. However, many employees are also using methods which corporate IT departments have little or no control over.

USB sticks prove the most popular choice of portable devices with over a quarter of employees (26pc) regularly using this to remove information. However, rather than treating these devices with care, 15pc of office workers have lent them to others.

The traditional hard copy document retains its status as a prime potential business vulnerability.  IT departments rarely have the ability to monitor and restrict what is being printed out or where this information is left.  The study shows that employees frequently print out company financial information (83pc), customer records (83pc) and legal contracts (87pc). 

 “Whilst most organisations strive to comply with the legal policies that ensure the safe handling of sensitive information, they fail to recognise their employees as a potential achilles heel,” said Greg Day, security analyst at McAfee.

“Moreover, with data exposure potentially leading to compliance issues and the loss of intellectual property – sending out company assets can also ultimately mark the end of the business,” Day continued.

“These findings clearly indicate that data loss from within is growing issue and that companies need to address it alongside protecting themselves from external threats. We believe the solution lies in a combination of educating employees and investing in a comprehensive security management solution.”

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years