SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Nearly half of all employees are willing to share business secrets

How loyal are employees? According to a new report, 45% of employees would consider parting with enterprise secrets for a price or even for free. In addition, the report discovered 59% of office workers have already shared corporate information outside of the business.

The report by Deep Secure, titled ‘What is the Price of Loyalty', investigates the reality of insider threat and the behaviours employees are already engaged in when it comes to corporate information and intellectual property (IP).

Employees consider sharing info and IP

The report found that $1,000 would be enough for 25% of office employees to sell corporate information, with 15% of workers reporting this would be enough to pass on confidential market information about the company, colleagues or customers, including details about the company's sales pipeline.

Furthermore, for $250 or less, 10% of employees said they would sell IP including product specifications, product code and patents. On top of this, 5% admitted they would give information away for free.

In total, nearly half (45%) of all employees were willing to part with sensitive information about their company for a price.

Employees already sharing secrets

Deep Secure's report shows that 59% of employees have already taken information off corporate networks and 47% of this group has then shared the information with a third party.

In many instances, employees stated that they took the information for personal use, either to use the information in their new role (12% of respondents) or because they wanted to keep a copy of their work (12%).

Even so, nearly half (47%) of employees shared this information with a third party. In many instances, employees took the information to a new employer (16%) or new employees (19%).

The survey also revealed that 17% of employees shared information with someone they didn't know, responding to an incentive or a threat. In this case, younger employees were more likely to share information, with 19% in graduate level roles paid to source information, and 29% of 16-24 year olds taking information for someone they didn't know.

How employees take business secrets

The most common way employees took business information was through digital techniques (11%). Digital techniques includes information sent via email, directly uploading it to a personal cloud storage, or saved on an external storage device.

Furthermore, 8% of employees used tools such as steganography or encryption to cover their tracks when taking corporate information. This was more common in the IT and Telecoms industry at 13% of people, as well as HR at 15% and finance 12%.

According to Deep Secure, cyber tools that enable employees to hide their actions are readily available on the dark web. One example given is steganography toolkits, which can be downloaded for free and provide an undetectable means of getting information from the company network by encoding images or text.

Second to digital techniques were more traditional techniques including printing (11%), handwriting (9%) and taking a photo of the information (8%).

Expert commentary on insider threat

Deep Secure CEO Dan Turner says, “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company and clients' most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016.

Turner says, “Given the prevalent use of digital and cyber tactics to exfiltrate this information, it's critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network.

According to Deep Secure, a mixture of detection and prevention technologies is required to mitigate risk and strengthen data loss prevention.

Follow us on: