- Security TWENTY
- Women in Security
Safetica, a provider of employee monitoring and data protection software, has commissioned a survey to see whether British employees use their computers for non-work-related activities while they should be working and even knowing it’s against company policy. Urban Schrott of Safetica writes.
Research – carried out by TNS Omnibus – could help understand employees’ work habits and activities that might have an adverse effect on their productivity and the integrity of their company’s data.
The risks that irresponsible use of computers at work brings are two-fold. First there are the obvious work-hours lost and unnecessary costs involved, but there is also the heightened level of potential data security threats. According to a 2011 Ponemon Institute study 63 per cent of company IT staff think that employees’ use of social media in the workplace represents a serious security threat to their organisation. In addition to that, Verizon’s 2010 study showed that 48 per cent of data breaches in 2010 were caused by insiders, while Ponemon Institute’s 2012 study has shown that 78 per cent of organisations experienced data breaches as a result of negligent or malicious employees and that 56 per cent of data breach incidents were only discovered accidentally.
So, how did the British employees do? We asked 663 of them a multiple-answer question with two modifiers, to see if knowing that there is a company policy in place changes their attitude. Of all those asked, between 43 per cent and 54 per cent said they do not use a computer in their line of work.
A positive finding of this research is that at least having a policy in place reduces the (admitted) levels of undesirable activities by about one third (and in our research also shows an increase in the number of those that say they haven’t done any of these as they do not work with a computer). So even such a small step as explaining to the employees what they can and cannot do in the workplace already has a beneficial effect. A more worrying aspect is, of course, that a relatively large percentage (up to one in four employees) engage in undesirable activities in spite of being aware of policies that prohibit them, while where policies are not in place as many as one in three employees engage in inappropriate activities.
The fact that the highest scores for admitted undesirable activity are in the printing of personal files and the use of social media may seem relatively harmless, but it does illustrate that breaking the rules is seen as relatively acceptable, while the security implications of those breaches may not even have been taken into consideration. These range from the outgoing (public facing) threat of making inappropriate posts on social media, which potentially harm the company’s productivity and reputation, to the incoming threat of possible malware infection of company computers and networks caused by clicking unsafe links.
However, the numbers of people admitting to taking company files home (even if against policy) is frighteningly high. Approximately one in ten people, on average, admit to having no qualms about doing that. In a company with 1000 employees, that means that up to 100 people are capable of walking away with sensitive company documents, which is a risk no company should take lightly.
It’s interesting to compare the results to the similar survey Safetica did in Ireland a month earlier, where males lead in every category, with a particularly noticeable lead when it comes to browsing for other employment, with 29pc of males compared to 14 per cent of females. In the UK the roles seem reversed. As the tables show, women are bolder when it comes to defying rules in almost all categories, and very closely tied with males even in those categories where they don’t lead. But – just like in Ireland – the older generations seem to be more orderly, with the young 25 to 34 age group scoring highest in all categories.
In light of all this, responsible companies would be wise to take steps to implement security policies which would prevent excessive abuse of company resources by employees. As can be gathered from these statistics, having a policy in place does make a difference. However, it only reduces the frequency of the unwanted activities, it does not completely prevent them. For protection against the unauthorised copying, emailing, editing, or opening of company files, as well as for monitoring, reporting and preventing employees from partaking in unauthorised activities, a comprehensive software solution should be considered.
More info at www.safetica.co.uk
Safetica is exhibiting at Infosecurity Europe 2013, on April 23 to 25, at Earl’s Court, London.