A recent survey of 1,000 enterprise employees in Australia, France, Germany, the Netherlands, the U.K. and the U.S. found that 1 in 5 respondents has uploaded proprietary corporate data to a cloud app such as Dropbox or Google Docs “with the specific intent of sharing it outside the company,” and 1 in 5 respondents use such apps without IT’s knowledge.
The survey, sponsored by SailPoint and conducted by Vanson Bourne, also found that 1 in 4 employees said they would take corporate data with them when they left their job, even though 60 percent of respondents said they knew their employer strictly forbids taking intellectual property after leaving the company.
Fully 66 percent of employees said they still had access to corporate data via cloud apps such as Dropbox or Google Docs after they left their jobs. Only 28 percent of respondents said corporate policies closely monitor their use of cloud apps for mission-critical data, and just 60 percent of employees are aware of company policy regarding corporate data theft.
The survey also found that 70 percent of employees use their mobile devices for work, and 63 percent of those employees access corporate data from those devices.
“The survey results are an eye opener of how cloud applications have made it easy for employees to take information with them when they leave a company,” SailPoint founder and president Kevin Cunningham said in a statement.
“With almost 20 percent of employees purchasing a cloud application for work without involving the IT departments, combined with the ability for employees to use consumer cloud apps for work activities, it’s virtually impossible to manage access to applications and the sharing of mission-critical data,” Cunningham added. “In order to establish control over this ‘bring your own app’ phenomenon, it’s critical to provide specific incentives for end users to follow corporate policy such as offering users a seamless login experience in exchange for using a central access control framework.”
SailPoint’s findings come soon after a survey by Avecto and Curve IT determined that 72 percent of temporary workers had received administrative privileges on their temporary employers’ IT systems. Only half of temp workers surveyed said they had been informed of any application or data restrictions when they were brought into the company.
“Giving any worker admin rights is akin to giving them the keys to the kingdom,” Avecto EVP Paul Kenyon said in a statement. “The insider threat has been well documented, but this research demonstrates that businesses clearly haven’t got the message.”
“There may be parts of a project where a contractor needs administrative rights to perform their role,” Kenyon acknowledged. “But that’s why privilege management and a granular approach to admin rights on the endpoint is so important — let users do what they need to do by granting privileges to applications rather than users.”
“Security is still viewed as a barrier that prevents employees from being able to carry out their roles,” Kenyon said. “We need a shift in mind-set, a positive approach about how security is viewed within the corporate environment.”
In September 2014, the FBI and the U.S. Department of Homeland Security warned of an increase in insider threats from disgruntled current and former employees.
“The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company,” the alert stated.
A recent eSecurity Planet article offered advice on defending against insider threats.