Some employees won't think twice about selling company data for Caribbean trip, claims report
5 min read
29 July 2015
Research by Clearswift amongst 4,000 employees in Britain, Germany, US and Australia, found that for £5,000 – the price of a family Caribbean holiday or less than three months of the average UK monthly wage – 25 per cent would sell company patents, financial records and customer credit card details.
According to the latest Clearswift report, while 65 per cent of employees said they wouldn’t sell data for any price, there is a group of people who are willing to profit from selling something that “doesn’t belong to them“.
It found that three per cent of employees would sell private information for as little as £100, rising to 18 per cent when made an offer of £1,000. The number of employees open to bribes increases to 35 per cent as the offer reaches £50,000.
The information being sold can be worth millions of pounds, the report claimed.
“A case in point of the true value of data is the recent Ashley Madison hack, where user data has been accessed by a member of the company, according to the site’s CEO; the effects of which have been monumental,” said Heath Davies, CEO of Clearswift. “The site announced earlier this year that it hoped to raise £130m in an IPO in London and it may have lost out on this opportunity – reducing the value of its entire business.”
He further stressed that the attack may have burned a hole in its prospects and has already had a ripple effect on its sister sites Cougar Life and Established Men.
The opportunity to sell valuable information is exacerbated by the ready access most employees have to it. Some 61 per cent of respondents said they had access to private customer data, 51 per cent to financial data such as company accounts or shareholder information, and 49 per cent to sensitive product information such as planned launches and patents.
Attitudes to data security were also mixed, with only 29 per cent saying that company data was their personal responsibility, and 22 per cent saying they didn’t feel it was their responsibility at all.
Read more on cyber security:
- Joint venture forged to incubate small cyber firms securing Internet of Things and big data
- Nearly one in ten UK workers watch porn at work despite knowing it’s risky
- Government to unite 50 young British cyber security experts from 13 UK universities
A corresponding Clearswift survey of 504 information security professionals found that 62 per cent thought employees didn’t care enough about the implications of a security breach to change their behaviour.
This echoed a January 2015 report from SailPoint, which revealed that the majority of 1,000 employees at major organisations across the UK would be tempted to hand over passwords for £100. Furthermore, a 2012 survey concluded that almost half of its respondents would sell corporate passwords for less than £5, while 30 per cent would sell data for £1.
Muddu Sudhakar, CEO of Caspida, is of the belief that human beings are fallible, and this sort of issue is a real problem. He pointed to the Morgan Stanley financial adviser who was fired for allegedly stealing the account information of 350,000 clients, and posting 900 of them online.
Joseph Loomis, founder and CEO of CyberSponse, agreed, suggesting that employee loyalty should not be assumed. “How many employees do you know who truly care about the organisation where they work?” he said. “Excluding some of the top organisations in the marketplace, employee morale or care is always a concern for triggering insider threats.”
Sudhakar said he suspects workers know that if their personal passwords were compromised, the consequences would be severe, while they might view a corporate password as “someone else’s problem or think there might not be a consequence to misusing it.”
He added that some workers might not realise how important their corporate passwords are. “This is particularly true if the data they handle at work would not normally be considered sensitive,” he said, “as they likely fail to grasp that their account may provide a doorway that can be used a s a staging ground to gain access to more sensitive data via privilege escalation and other such methods.”