More than one in 10 Irish employees admit to having taken the contact list from their previous job, a new survey claims.
Double that number said they have emailed work documents to their home email account or have used social media during work hours.
The findings come from a survey of 1,000 people across Ireland. The poll was carried out by Amárach Research on behalf of Safetica Ireland, a provider of monitoring and data security software.
It found 12pc of respondents said they took the contact list with them when they left their company, 14pc print private documents in the workplace, 18pc take work home on a USB key and 19pc email documents to their home account.
Safetica said that bringing home company documents greatly increases the chance the information could be compromised through having USB keys or laptops lost or stolen. Other risks include the possibility of emails being intercepted or spyware infection.
Data breaches have become a growing problem in Irish organisations; examples include Bord Gáis losing a laptop with details of 75,000 customers in 2009, the 2010 incident involving Phoenix Ireland’s loss of personal details of around 62,000 customers and Bank of Ireland’s missing USB key with about 900 customer account numbers, names and addresses.
The Data Protection Commissioner revealed last week that its office received a record 1,161 complaints in 2011, up from 783 in 2010. The DPC Billy Hawkes clarified he did not see this as an actual increase in the number of breaches but a sign of greater awareness of the need to report such incidents.
Heeding data security policies
Hugh Jones, director of Longstone Management and a data protection specialist at the Irish Computer Society, said many companies were undermining their own data security policies by not striking the right balance between strong governance in favour of staff morale.
Jones added that the intent may not be sinister, such as when a staffer takes work home to work on it overnight ahead of a looming deadline. However, he said there are problems in taking the data out of a secure environment, over an often-unsecured line, to a machine that is outside the reach of the organisation’s support or governance obligations.
“By processing company data on their home PC, the staff member is actually bringing that machine into the company’s sphere of operations, and there are recent cases where personal PCs have been subpoenaed to track and account for missing data,” he told Siliconrepublic.com.
Jones suggested that organisations can take several steps to prevent possible data leakage, such as disabling PCs’ USB ports, CD-Rom and DVD burners except for those staff with a valid, operational need to have them; tracking email usage to indicate any messages going out to webmail accounts and encrypting all company mobile devices, including laptops, smartphones and storage keys.
Other measures include tracking outgoing messages for key words like project or product names which might be commercially sensitive or providing secure VPN access for staff who regularly work off-site.
Jones also suggested staff training to raise awareness of the importance of company data, or including a clause in employee and sub-contractor agreements specifically addressing permission to use data, with strict penalties for breaching those terms.