Insider data thieves get away "scot free"

Controls on access to data by both staff and ex-staff are lax, and even when caught, insiders stealing data get away 'scot-free' says new survey.

Insider data thieves get away "scot free"
Insider data thieves get away "scot free"

An insider-threat survey that unusually canvasses end-users as well as IT professionals has found that a worrying 40 percent of people have used their old passwords and user names to access company information after they have left.

The ‘UK Cybersecurity Survey', conducted by OnePoll for security firm LogRhythm, finds almost half of end-users have accessed or taken confidential data from their existing company. And while 20 percent have been caught doing so, in two-thirds of cases their boss just ‘had a word' and with 25 percent nothing happened to them.

The survey finds that, while businesses are increasingly aware of the insider threat, more than half have done nothing extra since Snowden to guard against it and organisations still lack enforceable controls to stop and punish culprits.

As a result, LogRhythm managing director for international markets Ross Brewer accuses UK companies of letting users get away with stealing confidential data “scot free”.

He told SCMagazineUK.com via email: “Post-Snowden we might have assumed that businesses would be far more vigilant of the data and systems that their staff access, given the incident elevated the issue in astronomical proportions, but it is apparent that this simply isn't the case. We know that some employees get caught, but the fact that there are no repercussions goes to show that organisations still aren't taking the issue of rogue insiders seriously enough.

“Businesses wouldn't sit back and let an external hacker waltz through their systems unperturbed, but that's what they are effectively doing when they don't punish the insiders doing it.”

Brewer added: “First and foremost organisations must have the systems in place to know when an employee is behaving abnormally and accessing information they shouldn't be. From there, they should be stopping and punishing the perpetrators. ‘Having a word' probably won't stop them from doing it again, nor deter others from doing the same – theft is a serious crime, and the punishment should therefore be fitting.”

Security expert Amar Singh, chair of the UK Security Advisory Group at information security professionals' organisations ISACA, said he was not surprised by the findings - and he too criticised companies for failing to direct employees.

“Organisations do not engage with their users on a regular basis to inform them of their responsibilities,” he told SCMagazineUK.com. “The assumption is that ‘we sent out a policy pack and T&Cs when he/she joined; they should know better'.”

Singh added: “I think the root cause of all this could be that organisations themselves have not understood the need to embrace a structured, company-wide information security management and governance approach to managing and securing their information.”

Among other results, the survey found that less than half of organisations (48 per cent) regularly change passwords to stop ex-employees gaining access, and that a third of IT professionals could not even say whether their organisation had ever suffered a breach.

Brewer commented: “Surely this knowledge should be the bare minimum? Businesses clearly need to increase the level of visibility that they have into their networks in order to spot any questionable activity.”

The survey questioned 1,000 IT professionals and 200 end-user consumers. It echoes a recent study by Vormetric and Ovum which found that just nine percent of European organisations feel safe from the insider threat and that “insider threats are among the most prominent IT security issues facing organisations today”.